Edit tour

Windows Analysis Report
setup_run.exe

Overview

General Information

Sample name:	setup_run.exe
Analysis ID:	1525818
MD5:	f9e546bb5a4898d65b61f8b3d93a1662
SHA1:	a4f5d8c4fec7657211c71c31f92d347cad13b1c8
SHA256:	b1a638cc1c6fab24c26193035daa72cdc459deebf7a11de130cf41a4218e81d0
Tags:	exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Creates files in alternative data streams (ADS)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

setup_run.exe (PID: 1304 cmdline: "C:\Users\user\Desktop\setup_run.exe" MD5: F9E546BB5A4898D65B61F8B3D93A1662)

setup_run.exe (PID: 6156 cmdline: "C:\Users\user\Desktop\setup_run.exe" MD5: F9E546BB5A4898D65B61F8B3D93A1662)

cmd.exe (PID: 5064 cmdline: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 520 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: setup_run.exe PID: 6156	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: setup_run.exe PID: 6156	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\setup_run.exe", ParentImage: C:\Users\user\Desktop\setup_run.exe, ParentProcessId: 6156, ParentProcessName: setup_run.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe", ProcessId: 5064, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T15:16:24.223718+0200	2049441	1	A Network Trojan was detected	192.168.2.9	49705	109.107.181.162	15666	TCP

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T15:16:24.223718+0200	2050806	1	A Network Trojan was detected	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.338303+0200	2050806	1	A Network Trojan was detected	192.168.2.9	49705	109.107.181.162	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T15:16:24.223718+0200	2050807	1	A Network Trojan was detected	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.338303+0200	2050807	1	A Network Trojan was detected	192.168.2.9	49705	109.107.181.162	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\setup_run.exe:a.dll

Avira: detection malicious, Label: HEUR/AGEN.1354117

Multi AV Scanner detection for submitted file

Source: setup_run.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\setup_run.exe:a.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup_run.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006FB20 CryptUnprotectData,LocalFree,	1_2_000000014006FB20
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400D0060 OpenProcessToken,CryptProtectData,BitBlt,	1_2_00000001400D0060
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400D0098 CryptProtectData,	1_2_00000001400D0098
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140035E00 CryptUnprotectData,LocalFree,	1_2_0000000140035E00
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006FE40 CryptProtectData,LocalFree,	1_2_000000014006FE40

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49706 version: TLS 1.2

Source: setup_run.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B66D0 FindClose,FindFirstFileExW,GetLastError,		1_2_00000001400B66D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B6780 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		1_2_00000001400B6780

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007EEF0 GetLogicalDriveStringsW,

1_2_000000014007EEF0

Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbx	0_2_00007FF650A291F6
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then cmp rdx, 01h	0_2_00007FF650A3F160
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	0_2_00007FF650A49250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	0_2_00007FF650A412A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbp	0_2_00007FF650A3A3B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	0_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	0_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	0_2_00007FF650A41630
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r15	0_2_00007FF650A3881E
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbp	0_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	0_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	0_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF650A54DF0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF650A54EE9
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then mov rcx, qword ptr [rcx]	0_2_00007FF650A4AE40
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbx	1_2_00007FF650A291F6
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then cmp rdx, 01h	1_2_00007FF650A3F160
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	1_2_00007FF650A49250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	1_2_00007FF650A412A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbp	1_2_00007FF650A3A3B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	1_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	1_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	1_2_00007FF650A41630
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rdi	1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rsi	1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r15	1_2_00007FF650A3881E
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push rbp	1_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	1_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then push r12	1_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then sub rsp, 28h	1_2_00007FF650A54DF0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then sub rsp, 28h	1_2_00007FF650A54EE9
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 4x nop then mov rcx, qword ptr [rcx]	1_2_00007FF650A4AE40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.9:49705 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.9:49705 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.9:49705 -> 109.107.181.162:15666

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: global traffic

TCP traffic: 192.168.2.9:49705 -> 109.107.181.162:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007C570 recv,recv,closesocket,WSACleanup,

1_2_000000014007C570

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: setup_run.exe, 00000001.00000003.1600289450.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598373186.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1601265710.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598513815.000002157B580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1599915494.000002157B563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: setup_run.exe, 00000001.00000003.2162308315.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162363651.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162448327.000002157D2A4000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1597864768.000002157D291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/ocal
Source: setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setup_run.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup_run.exe, 00000001.00000003.1606400571.000002157D580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607442947.000002157D640000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D738000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D785000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D78D000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1616945458.000002157E919000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D730000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4FA000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D804000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4F2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D80C000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setup_run.exe, 00000001.00000003.1606400571.000002157D580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607442947.000002157D640000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D738000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D785000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D78D000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1616945458.000002157E919000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D730000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4FA000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D804000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4F2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D80C000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007D670 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_000000014007D670

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A124B0 GetModuleFileNameW,LoadLibraryA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,wcslen,LdrLoadDll,GetProcAddress,GetCurrentProcess,NtAllocateVirtualMemory,memcpy,memcpy,	0_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A11E00 memcpy,wcslen,CreateFileW,NtWriteFile,CloseHandle,free,CloseHandle,	0_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400D0670 GdipCreateBitmapFromHBITMAP,GdiplusStartup,NtQueryObject,	1_2_00000001400D0670
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400D06D8 NtQuerySystemInformation,	1_2_00000001400D06D8
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400D06E8 NtAllocateVirtualMemory,	1_2_00000001400D06E8
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140081880 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	1_2_0000000140081880
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140081FC0 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	1_2_0000000140081FC0

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A124B0	0_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A11E00	0_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A24220	0_2_00007FF650A24220
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A15140	0_2_00007FF650A15140
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A461B0	0_2_00007FF650A461B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A4E380	0_2_00007FF650A4E380
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A115B0	0_2_00007FF650A115B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A2C710	0_2_00007FF650A2C710
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A4C700	0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A4E690	0_2_00007FF650A4E690
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A52740	0_2_00007FF650A52740
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A17890	0_2_00007FF650A17890
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A3A9F0	0_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A309D0	0_2_00007FF650A309D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A15990	0_2_00007FF650A15990
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A3CB70	0_2_00007FF650A3CB70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A12BB4	0_2_00007FF650A12BB4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A2DDF0	0_2_00007FF650A2DDF0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A4CD40	0_2_00007FF650A4CD40
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A31FC0	0_2_00007FF650A31FC0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B20750	0_2_00007FF8E7B20750
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B1C5B0	0_2_00007FF8E7B1C5B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B04460	0_2_00007FF8E7B04460
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B06360	0_2_00007FF8E7B06360
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B1F190	0_2_00007FF8E7B1F190
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B1AED0	0_2_00007FF8E7B1AED0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B12CF0	0_2_00007FF8E7B12CF0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF8E7B03C10	0_2_00007FF8E7B03C10
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014005F0E0	1_2_000000014005F0E0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140042160	1_2_0000000140042160
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007F1A0	1_2_000000014007F1A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400841FB	1_2_00000001400841FB
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140074330	1_2_0000000140074330
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007E360	1_2_000000014007E360
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140086610	1_2_0000000140086610
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014002F650	1_2_000000014002F650
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007D670	1_2_000000014007D670
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014003B6E0	1_2_000000014003B6E0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B6780	1_2_00000001400B6780
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014003C780	1_2_000000014003C780
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140076B30	1_2_0000000140076B30
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007FB30	1_2_000000014007FB30
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014003AB80	1_2_000000014003AB80
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009AC80	1_2_000000014009AC80
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140084C80	1_2_0000000140084C80
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007CD80	1_2_000000014007CD80
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014003CE20	1_2_000000014003CE20
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009DF30	1_2_000000014009DF30
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014002EF60	1_2_000000014002EF60
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140092024	1_2_0000000140092024
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014007E040	1_2_000000014007E040
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006B040	1_2_000000014006B040
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140036050	1_2_0000000140036050
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006A0A0	1_2_000000014006A0A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014003A0B0	1_2_000000014003A0B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400300C6	1_2_00000001400300C6
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140006180	1_2_0000000140006180
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009E1AC	1_2_000000014009E1AC
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140028200	1_2_0000000140028200
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009220C	1_2_000000014009220C
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B9270	1_2_00000001400B9270
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140053280	1_2_0000000140053280
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140096290	1_2_0000000140096290
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400562E0	1_2_00000001400562E0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400932D4	1_2_00000001400932D4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140082310	1_2_0000000140082310
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140026340	1_2_0000000140026340
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140025350	1_2_0000000140025350
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006A3A0	1_2_000000014006A3A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400A53F4	1_2_00000001400A53F4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400923F4	1_2_00000001400923F4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009C428	1_2_000000014009C428
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006E43A	1_2_000000014006E43A
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014004C4A0	1_2_000000014004C4A0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400624B0	1_2_00000001400624B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140070540	1_2_0000000140070540
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140006610	1_2_0000000140006610
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140059650	1_2_0000000140059650
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006A6D0	1_2_000000014006A6D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400666F0	1_2_00000001400666F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140090730	1_2_0000000140090730
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009E734	1_2_000000014009E734
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140065820	1_2_0000000140065820
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009B8F8	1_2_000000014009B8F8
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400789D0	1_2_00000001400789D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400269E0	1_2_00000001400269E0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006A9F0	1_2_000000014006A9F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140092A3C	1_2_0000000140092A3C
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400A6A5C	1_2_00000001400A6A5C
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140037AAD	1_2_0000000140037AAD
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400BBB10	1_2_00000001400BBB10
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006DB60	1_2_000000014006DB60
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014002FC80	1_2_000000014002FC80
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014004ACD0	1_2_000000014004ACD0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140066CF3	1_2_0000000140066CF3
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006AD10	1_2_000000014006AD10
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140006D20	1_2_0000000140006D20
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009BDA8	1_2_000000014009BDA8
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140005DB0	1_2_0000000140005DB0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006CDE0	1_2_000000014006CDE0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140075E00	1_2_0000000140075E00
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140072E60	1_2_0000000140072E60
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014009CEA8	1_2_000000014009CEA8
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014006DFA0	1_2_000000014006DFA0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014004DFA0	1_2_000000014004DFA0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140038FB0	1_2_0000000140038FB0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_0000000140081FC0	1_2_0000000140081FC0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A24220	1_2_00007FF650A24220
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A15140	1_2_00007FF650A15140
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A461B0	1_2_00007FF650A461B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A4E380	1_2_00007FF650A4E380
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A124B0	1_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A115B0	1_2_00007FF650A115B0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A2C710	1_2_00007FF650A2C710
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A4C700	1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A4E690	1_2_00007FF650A4E690
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A52740	1_2_00007FF650A52740
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A17890	1_2_00007FF650A17890
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A3A9F0	1_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A309D0	1_2_00007FF650A309D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A15990	1_2_00007FF650A15990
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A3CB70	1_2_00007FF650A3CB70
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A12BB4	1_2_00007FF650A12BB4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A2DDF0	1_2_00007FF650A2DDF0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A11E00	1_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A4CD40	1_2_00007FF650A4CD40
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A31FC0	1_2_00007FF650A31FC0

Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 00000001400300A0 appears 62 times
Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 00007FF650A548B0 appears 250 times
Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 00007FF650A52650 appears 54 times
Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 00007FF650A54720 appears 88 times
Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\Desktop\setup_run.exe	Code function: String function: 00007FF650A54810 appears 598 times

Source: setup_run.exe_a.dll.0.dr

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_0000000140083540 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

1_2_0000000140083540

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF650A12BB4 CreateToolhelp32Snapshot,Process32First,MultiByteToWideChar,Process32Next,MultiByteToWideChar,MultiByteToWideChar,

0_2_00007FF650A12BB4

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014006CDE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,

1_2_000000014006CDE0

Source: C:\Users\user\Desktop\setup_run.exe

File created: C:\Users\user\Desktop\setup_run.exe:a.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Users\user\Desktop\setup_run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963A15E1DEB

Source: setup_run.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\setup_run.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup_run.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: setup_run.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: setup_run.exe

Static file information: File size 1766400 > 1048576

Source: setup_run.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x163000

Source: setup_run.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF650A30D70 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF650A30D70

Source: setup_run.exe	Static PE information: section name: .xdata
Source: setup_run.exe_a.dll.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\setup_run.exe

File created: C:\Users\user\Desktop\setup_run.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_0000000140074060 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

1_2_0000000140074060

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\Users\user\Desktop\setup_run.exe

File created: C:\Users\user\Desktop\setup_run.exe:a.dll

Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\setup_run.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"			Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\setup_run.exe	Code function: VMwareVMMicrosofVBoxVBox VMwareVMMicrosofVBoxVBox MicrosofVBoxVBox VBoxVBox VBox		0_2_00007FF650A129E0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: VMwareVMMicrosofVBoxVBox VMwareVMMicrosofVBoxVBox MicrosofVBoxVBox VBoxVBox VBox		1_2_00007FF650A129E0

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\setup_run.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\setup_run.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-78951

Source: C:\Users\user\Desktop\setup_run.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-78632

Source: C:\Users\user\Desktop\setup_run.exe

API coverage: 4.3 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B66D0 FindClose,FindFirstFileExW,GetLastError,		1_2_00000001400B66D0
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00000001400B6780 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		1_2_00000001400B6780

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007EEF0 GetLogicalDriveStringsW,

1_2_000000014007EEF0

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_00000001400949C0 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_00000001400949C0

Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: setup_run.exe	Binary or memory string: VMwareVMMicrosofVBoxVBox
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1598492369.000002157B513000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2161425879.000002157B515000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000002.2163940331.000002157B516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: setup_run.exe	Binary or memory string: 6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAntdll.dllLdrLoadDll:a.dllntdll.dllRtlInitUnicodeStLdrUnloaExecuteVMwareVMMicrosofVBoxVBox
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\setup_run.exe	API call chain: ExitProcess graph end node			graph_1-78582
Source: C:\Users\user\Desktop\setup_run.exe	API call chain: ExitProcess graph end node			graph_1-78586

Source: C:\Users\user\Desktop\setup_run.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF650A124B0 GetModuleFileNameW,LoadLibraryA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,wcslen,LdrLoadDll,GetProcAddress,GetCurrentProcess,NtAllocateVirtualMemory,memcpy,memcpy,

0_2_00007FF650A124B0

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014008D368 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_000000014008D368

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_00000001400B89D4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

1_2_00000001400B89D4

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF650A30D70 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF650A30D70

Source: C:\Users\user\Desktop\setup_run.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe	Code function: 0_2_00007FF650A11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	0_2_00007FF650A11180
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_000000014008D368 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_000000014008D368
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650A11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	1_2_00007FF650A11180
Source: C:\Users\user\Desktop\setup_run.exe	Code function: 1_2_00007FF650BC13E0 SetUnhandledExceptionFilter,	1_2_00007FF650BC13E0

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF8E7B01690 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameA,CreateProcessA,FreeLibrary,FreeLibrary,FreeLibrary,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,

0_2_00007FF8E7B01690

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\setup_run.exe	NtWriteFile: Indirect: 0x7FF650A122C2			Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	NtAllocateVirtualMemory: Indirect: 0x7FF650A12840			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setup_run.exe

Memory written: C:\Users\user\Desktop\setup_run.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\setup_run.exe

Thread register set: target process: 6156

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_0000000140072E60 ShellExecuteW,

1_2_0000000140072E60

Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 0_2_00007FF650A129E0 cpuid

0_2_00007FF650A129E0

Source: C:\Users\user\Desktop\setup_run.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A402C
Source: C:\Users\user\Desktop\setup_run.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A40FC
Source: C:\Users\user\Desktop\setup_run.exe	Code function: EnumSystemLocalesW,	1_2_00000001400992E4
Source: C:\Users\user\Desktop\setup_run.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_00000001400B6340
Source: C:\Users\user\Desktop\setup_run.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00000001400A4538
Source: C:\Users\user\Desktop\setup_run.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00000001400A4714
Source: C:\Users\user\Desktop\setup_run.exe	Code function: GetLocaleInfoW,	1_2_0000000140099828
Source: C:\Users\user\Desktop\setup_run.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00000001400A3CE0

Source: C:\Users\user\Desktop\setup_run.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_00000001400940C0 GetSystemTimeAsFileTime,

1_2_00000001400940C0

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007DC50 GetUserNameW,

1_2_000000014007DC50

Source: C:\Users\user\Desktop\setup_run.exe

Code function: 1_2_000000014007F1A0 GetTimeZoneInformation,GlobalMemoryStatusEx,wcsftime,GetModuleFileNameA,

1_2_000000014007F1A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\wallets
Source: setup_run.exe, 00000001.00000003.1600289450.000002157B563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\setup_run.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\setup_run.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 DLL Side-Loading	NTDS	34 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	311 Process Injection	1 File Deletion	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 NTFS File Attributes	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	11 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setup_run.exe	13%	ReversingLabs
setup_run.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\setup_run.exe:a.dll	100%	Avira	HEUR/AGEN.1354117
C:\Users\user\Desktop\setup_run.exe:a.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	setup_run.exe	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.microsoft	setup_run.exe, 00000001.00000003.1600289450.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598373186.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1601265710.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598513815.000002157B580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1599915494.000002157B563000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5	setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.	setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/ocal	setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta	setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org	setup_run.exe, 00000001.00000003.1606400571.000002157D580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607442947.000002157D640000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D738000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D785000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D78D000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1616945458.000002157E919000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D730000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4FA000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D804000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4F2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D80C000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D588000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.microsoft.t/Regi	setup_run.exe, 00000001.00000003.2162308315.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162363651.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162448327.000002157D2A4000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1597864768.000002157D291000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.107.181.162	unknown	Russian Federation		49973	TELEPORT-TV-ASRU	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525818
Start date and time:	2024-10-04 15:15:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup_run.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 68 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: setup_run.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.107.181.162	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
172.67.74.152	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	c42oX67S73.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	UwBqqeMnswLwstaa.ps1	Get hash	malicious	Unknown	Browse	172.67.74.152
	CHDLSHtWbSRCfzJMtDO.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	QUOTATIONS#08671.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	New order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	WarzoneCheat.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Notaire-document.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEPORT-TV-ASRU	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.162
	wqOq2pxuQB.exe	Get hash	malicious	Stealc, Vidar	Browse	109.107.187.5
	Wv3pZF5jI3.exe	Get hash	malicious	RedLine	Browse	109.107.182.39
	OgcktrbHkI.exe	Get hash	malicious	Tofsee	Browse	109.107.161.150
	clik.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	leadiadequatepro.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.83
	CE1KVxYp5t.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.83
	Ve6VeFSgkz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.83
	fDTPlvsGfH.exe	Get hash	malicious	DCRat	Browse	109.107.182.145
CLOUDFLARENETUS	https://beta.adiance.com/wp-content/plugins/arull.php?7088797967704b536932307464507a637a4c7a736c4d7a733752533837503155744a31586533634466584277413d1	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Payout Receipt.pptx	Get hash	malicious	HTMLPhisher	Browse	104.26.12.69
	Hollandco-File-871871493.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://jhansalazar.weebly.com/	Get hash	malicious	Unknown	Browse	104.18.36.155
	msvcp110.dll	Get hash	malicious	LummaC	Browse	172.67.208.181
	https://hblitigation-news.com/	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://www.google.com/url?sa=t&url=https%3A%2F%2F%6d%6f%73%63%76%61%64%75%6d%61%2e%70%72%6f%2F&usg=AOvVaw0d8WU-1rxjmcdGQTa3JxQL&opi=	Get hash	malicious	HTMLPhisher	Browse	104.21.2.159
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://www.ceolaser.com.mx	Get hash	malicious	Unknown	Browse	104.18.86.42
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	presupuesto urgente.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	-pdf.bat.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	PEDIDO-144797.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	172.67.74.152
	TERMENII CONTRACTULUI (ACORD NOU#U0102 COMAND#U0102)-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	Cotizaci#U00f3n#12643283.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	BnxBRWQWhy.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.74.152
	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.74.152

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\setup_run.exe:a.dll

Download File

Process:	C:\Users\user\Desktop\setup_run.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1430016
Entropy (8bit):	7.540258570611695
Encrypted:	false
SSDEEP:	24576:BjSpDfQz9S49fmFrkhmMFj3NvG3hic74AS0iO2QC65k5lYN/x85eU:BjS9fQzI4vmAj3NvUEcldfb
MD5:	4AB64F8774087D5ABEE3D3E9948A9300
SHA1:	CB42ED04A1B24FDAF69E830CAD784C43D573D0C4
SHA-256:	17F9D20B69FBB1A76558AD6A16629246F9834FB4E0C9813235C7190A3EEB0C02
SHA-512:	7A3251844D7D633F150A623A8C208376E884BAA00CD4E7162220F8C568A6FCB5C8CE7A024A43D0B55FDE3A2280A74C21DA8B8667793DF6AB7A6F9F8091DE51AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...ht.f..........."...)............`........................................@...........`... ..............................................................................0..............................@...(...................@................................text...............................`..`.data....[...0...\..................@....rdata...........0...v..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.825671547285939
Encrypted:	false
SSDEEP:	6:PzXULmWxHLTpUrraGbsW3CNcwAFeMmvVOIHJFxMVlmJHaVFtIk3:P+pTpcraGbsTDAFSkIrxMVlmJHaVPN
MD5:	048DC6B94735C4768D20ED5E3F14F565
SHA1:	6B92CCD1E038396F675090384C6E8DFC742614ED
SHA-256:	6D0C347234F09E710D6B842ED14CD27792E71E5B906E9E806E77AFE8FF08E1BE
SHA-512:	88DF2342FFD4D303BEF828A12F7BEB505DC06E0BE6E91FF7FDA74DE31FAA289089557C036293EE3B0EE55A62D62CC804953C0D89591E662A0B513525AA40093E
Malicious:	false
Reputation:	low
Preview:	..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=6ms TTL=51....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 6ms, Maximum = 6ms, Average = 6ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.76666898865644
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	setup_run.exe
File size:	1'766'400 bytes
MD5:	f9e546bb5a4898d65b61f8b3d93a1662
SHA1:	a4f5d8c4fec7657211c71c31f92d347cad13b1c8
SHA256:	b1a638cc1c6fab24c26193035daa72cdc459deebf7a11de130cf41a4218e81d0
SHA512:	a98fdb03a485051f33ea092b0805d2c2f3e2d3a3a58697a120459139ab2b6c94c27910467cc863ad78defcbf7d90f2edd81fb2356daa9f76bb448e9cf609e037
SSDEEP:	49152:ubo95a6iGYtRzPWn9jbijSv3ZXYUYpyc2y5BkA:eBP0OSvZXwpcy5Bk
TLSH:	BF85F20BA16317A8DA7BF03C82DBEB775FB4B4260353760A56B4EDB30C20A54C27655E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...wt.f...............).@.....................@.............................P......bh....`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FF7477 [Fri Oct 4 04:52:07 2024 UTC]
TLS Callbacks:	0x40018a80, 0x1, 0x40018a50, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0f602b167ea2edb2862b80167a856ba6

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [001A6255h]
mov dword ptr [eax], 00000001h
call 00007FD1ECD128EFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [001A6235h]
mov dword ptr [eax], 00000000h
call 00007FD1ECD128CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FD1ECD32F14h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FD1ECD12BF9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
mov ecx, dword ptr [001AEB19h]
dec eax
test ecx, ecx
je 00007FD1ECD12C36h
mov edx, 00000080h
jmp 00007FD1ECD5560Fh
nop word ptr [eax+eax+00000000h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
dec eax
mov eax, ecx
mov ecx, edx
dec eax
ror eax, cl
ret
nop dword ptr [eax+00000000h]
dec eax
mov eax, dword ptr [edx]
dec eax
add eax, dword ptr [esp+28h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b1000	0xc0c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1a9000	0x2fdc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b4000	0x454	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a6d40	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b12f8	0x2b8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43f70	0x44000	8d433492df9f502060d4f14164bb50d2	False	0.3938455020680147	data	6.170003517934829	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x45000	0x230	0x400	830dd06eb053a46603697fd167559c45	False	0.107421875	data	0.8895331905131053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x46000	0x162f40	0x163000	6bd413a4b6a90979728a39c423ad2237	False	0.7709286971830986	data	7.859176318674573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1a9000	0x2fdc	0x3000	b9dedd6068d92fee0b019287dfdb93f6	False	0.5152994791666666	data	5.678550646076363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1ac000	0x32a8	0x3400	04fbf7a6728bf7eae9ddf87253171fab	False	0.16180889423076922	data	4.4029397090966205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x1b0000	0xbb0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1b1000	0xc0c	0xe00	e30d04166fad4560c9a1095813a69d1a	False	0.29910714285714285	data	3.9564641114749772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1b2000	0x60	0x200	f303315166bc328516c2f9cb549a03a4	False	0.06640625	data	0.3124937745953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1b3000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1b4000	0x454	0x600	565a12b38b27deb85ef54f02657041ea	False	0.4908854166666667	GLS_BINARY_LSB_FIRST	4.531455055422804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateFileW, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, FormatMessageA, GetCurrentProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetThreadId, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, MultiByteToWideChar, Process32First, Process32Next, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualProtect, VirtualQuery, WideCharToMultiByte

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _strlwr, abort, calloc, exit, fprintf, fputc, fputs, free, fwrite, getenv, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, realloc, signal, strchr, strcmp, strcpy_s, strerror, strlen, strncmp, strstr, strtoul, vfprintf, wcslen, _read

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T15:16:24.223718+0200	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.223718+0200	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.223718+0200	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.338303+0200	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.9	49705	109.107.181.162	15666	TCP
2024-10-04T15:16:24.338303+0200	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.9	49705	109.107.181.162	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 15:16:17.225641012 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:17.823184967 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:17.823337078 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:19.672213078 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:19.672255993 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:19.672373056 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:19.682329893 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:19.682353020 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.170902967 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.171010971 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.228884935 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.228908062 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.229357004 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.229423046 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.230668068 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.275402069 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.340538025 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.340696096 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.340713024 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.340769053 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.340811014 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.340850115 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.340866089 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:20.340910912 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.340980053 CEST	49706	443	192.168.2.9	172.67.74.152
Oct 4, 2024 15:16:20.340993881 CEST	443	49706	172.67.74.152	192.168.2.9
Oct 4, 2024 15:16:24.223717928 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338181019 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338195086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338206053 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338253975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338303089 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338314056 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338319063 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338371038 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338393927 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338587999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338598013 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338625908 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338655949 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.338834047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.338907957 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.339050055 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.339123011 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343328953 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343341112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343363047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343378067 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343403101 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343411922 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343411922 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343422890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343497038 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343501091 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343550920 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343668938 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343684912 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343714952 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343728065 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343883991 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.343936920 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.343961000 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.344007969 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.344078064 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.344124079 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.348452091 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348507881 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.348561049 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348571062 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348623037 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348639011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348639965 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.348697901 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.348750114 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.348789930 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.349087954 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349098921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349107981 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349112034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349119902 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349128962 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349137068 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349149942 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.349153996 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349163055 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349167109 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.349172115 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.349198103 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.349210978 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.349350929 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353409052 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353420019 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353427887 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353470087 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353477955 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353523970 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353542089 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353543997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353552103 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353595972 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353602886 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353611946 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353621006 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353630066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353635073 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353657961 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353712082 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353744984 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353754997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353765011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353801966 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353836060 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353916883 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.353919029 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353966951 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.353986025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354032993 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354526043 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354536057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354543924 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354552984 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354561090 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354568958 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354578018 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354579926 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354582071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354589939 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354598999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354608059 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354610920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354614973 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354621887 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354624033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354634047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354643106 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354644060 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354650974 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354660034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354684114 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354702950 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354809999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354820013 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354827881 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354835987 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354856014 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354861975 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354866982 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354872942 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354886055 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354893923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354902029 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354911089 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354918957 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354921103 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354928017 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354937077 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354944944 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354949951 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.354953051 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354962111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354969978 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.354984999 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355012894 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355025053 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355118990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355128050 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355135918 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355144978 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355153084 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355160952 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355169058 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355169058 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355178118 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355190992 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355192900 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355226040 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355227947 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.355240107 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.355289936 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358320951 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358429909 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358504057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358553886 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358598948 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358608007 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358618021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358634949 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358642101 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358666897 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358711958 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358721018 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358725071 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358730078 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358752966 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358761072 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358766079 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358768940 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358778000 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358786106 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358803988 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358831882 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358872890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358882904 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358900070 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358910084 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358912945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358923912 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358949900 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.358953953 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.358994007 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.359510899 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359569073 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.359587908 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359597921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359607935 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359625101 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359633923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359642982 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359647036 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359651089 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359658957 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.359661102 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359668970 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359669924 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.359683990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.359708071 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.359733105 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360061884 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360080004 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360089064 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360097885 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360106945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360115051 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360124111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360133886 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360160112 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360176086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360183954 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360192060 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360194921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360213041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360217094 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360220909 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360230923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360268116 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360302925 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360304117 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360312939 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360321045 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360331059 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360348940 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360352993 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360357046 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360373020 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360379934 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360383034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360399961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360407114 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360409021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360418081 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360431910 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360435009 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360440969 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360449076 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360467911 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360487938 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360569000 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360599995 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360610008 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360620975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360641956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360651016 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360651970 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360658884 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360667944 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360672951 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360676050 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360685110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360692978 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360697031 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360702991 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360704899 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360713005 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360721111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360723019 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360728979 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360737085 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360760927 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360790014 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360920906 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360929966 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360939026 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360948086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360955954 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360964060 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360964060 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.360971928 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.360980988 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361027002 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361196041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361206055 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361212969 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361234903 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361241102 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361243010 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361252069 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361259937 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361268044 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361285925 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361299992 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361320972 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361355066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.361514091 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.361979961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362000942 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362010956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362019062 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362054110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362070084 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362077951 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362116098 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362137079 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362181902 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362191916 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362200022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362207890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362231970 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362281084 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362282038 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362324953 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362324953 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362334967 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362344027 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362353086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362363100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362396002 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362426043 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362479925 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362489939 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362498999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362507105 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362515926 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362524033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362551928 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362580061 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362607956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362617970 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362626076 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362633944 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362694025 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362770081 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362780094 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.362803936 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.362828016 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363032103 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363042116 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363049984 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363079071 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363128901 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363492012 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363502026 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363509893 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363571882 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363858938 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363868952 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363877058 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363886118 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363893986 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363902092 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363909006 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363933086 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363957882 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.363986015 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.363995075 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364002943 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364012003 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364018917 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364027977 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364036083 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364043951 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364052057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364052057 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364062071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364070892 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364079952 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364084005 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364088058 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364111900 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364141941 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364207983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364249945 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364253044 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364262104 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364289999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364299059 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364305019 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364335060 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364384890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364394903 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364403009 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364428997 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364458084 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364521980 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364531040 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364540100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364542961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364551067 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364562035 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364569902 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364578009 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364586115 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364588022 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364619970 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364634991 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364784956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364794970 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364844084 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364880085 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364888906 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364897013 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364929914 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364929914 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364938021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.364947081 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.364985943 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365017891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365026951 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365036011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365067005 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365113020 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365125895 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365214109 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365222931 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365236044 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365258932 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365267038 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365287066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365295887 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365305901 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365328074 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365336895 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365345955 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365355968 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365370989 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365398884 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365401030 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365410089 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365448952 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365502119 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365511894 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365520000 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365542889 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365571976 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365626097 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365670919 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365675926 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365684986 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365732908 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.365891933 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365900993 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.365945101 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366014957 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366024971 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366046906 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366055965 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366061926 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366064072 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366072893 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366081953 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366089106 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366120100 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366146088 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366180897 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366189957 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366219997 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366245031 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366254091 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366261959 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366317034 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366384029 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366429090 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366436005 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366445065 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366453886 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366461992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366482973 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366554022 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366594076 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366602898 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366611958 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366647959 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366691113 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366700888 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366708994 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366718054 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366727114 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366738081 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366767883 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366827011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366837025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366844893 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366852999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366861105 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366868973 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366873026 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366877079 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366885900 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366894007 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.366904974 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366930962 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.366986036 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367039919 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367059946 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367069006 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367077112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367082119 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367085934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367094994 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367103100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367105961 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367111921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367120981 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367130041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367131948 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367150068 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367158890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367161036 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367176056 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367188931 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367191076 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367199898 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367208004 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367216110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367219925 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367223978 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367232084 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367239952 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367240906 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367244005 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367253065 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367261887 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367275000 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367294073 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367306948 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367307901 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367317915 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367326021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367335081 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367342949 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367351055 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367357016 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367358923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367367029 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367374897 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367377043 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367398024 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367405891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367414951 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367423058 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367424011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367433071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367440939 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367448092 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367449045 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367460012 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367466927 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367480993 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367496014 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367522955 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367556095 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367563963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367573023 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367580891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367588997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367597103 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367621899 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367646933 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367681026 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367691040 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367700100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367707968 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367716074 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367723942 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367732048 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367739916 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367744923 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367757082 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367788076 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367842913 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367851973 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367860079 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367862940 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.367882013 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.367908955 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.409904003 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.410099030 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410468102 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410522938 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410569906 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410650969 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410696983 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410778999 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410826921 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410888910 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.410934925 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.411000013 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.411043882 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.430862904 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.431138039 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.431219101 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.431274891 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.431337118 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.431366920 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.436793089 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.436959982 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.437036991 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.437081099 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.477863073 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.480473042 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.524430990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.524657011 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.524988890 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525051117 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525114059 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525207043 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525260925 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525335073 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525381088 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525441885 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525489092 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525557995 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525605917 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525675058 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.525691032 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.529597998 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.532226086 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.569827080 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.572506905 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.572638988 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.572700977 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.572741985 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.584822893 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.584836960 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.585284948 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.585386992 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.585428953 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.590338945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.592976093 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.593077898 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.593127012 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.633894920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.633996964 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658504963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.658622980 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658668995 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.658718109 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658768892 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658824921 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658890009 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658935070 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.658987045 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.659008026 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.666376114 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.668431044 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.706270933 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.708364964 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.727895021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.728184938 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.728209019 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728296995 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728358030 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728408098 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728458881 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728518963 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728566885 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728631020 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.728653908 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.736793041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.740534067 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740603924 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740652084 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740711927 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740762949 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740824938 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.740844011 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.776287079 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.777931929 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.791346073 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.792576075 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.792654991 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793061972 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793128014 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793167114 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793222904 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793263912 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793308973 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793348074 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793399096 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793437958 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793484926 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793538094 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793587923 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.793637037 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.804815054 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804828882 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804836988 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804846048 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804853916 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804862976 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804872036 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804898024 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.804899931 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804910898 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804919958 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804928064 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804934025 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.804951906 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.804976940 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.804985046 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.804994106 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805002928 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805021048 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805037022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805051088 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805057049 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805059910 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805068970 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805072069 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805088997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805099010 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805099010 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805125952 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805152893 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805372000 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805382013 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805401087 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805409908 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805427074 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805449009 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805525064 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805609941 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805654049 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805675983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805685997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805726051 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805773973 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805783033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805828094 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805830956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805849075 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805893898 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805901051 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805910110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805931091 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.805948973 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805969000 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.805999041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806057930 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806061029 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806081057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806128979 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806205988 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806294918 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806343079 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806376934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806557894 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806566954 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806603909 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806607008 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806612968 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806622028 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806652069 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806724072 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806731939 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806734085 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806742907 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.806781054 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.806798935 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807003975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807018042 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807027102 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807035923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807044983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807070971 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807076931 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807084084 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807086945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807095051 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807104111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807112932 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807121038 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807136059 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807176113 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807204008 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807214022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807264090 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807707071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807718992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807727098 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807738066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807745934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807754993 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807763100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807770967 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807771921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807780027 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807789087 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807797909 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807799101 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807806015 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807815075 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807822943 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807832003 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807833910 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807841063 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807848930 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807857990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807873011 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807893038 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807904959 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.807959080 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807967901 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807976961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807985067 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.807992935 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808001995 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808010101 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808011055 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808020115 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808022022 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808028936 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808037996 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808067083 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808079004 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808151960 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808162928 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808171034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808181047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808188915 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808197975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808203936 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808206081 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808216095 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808223963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808232069 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808233023 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808240891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.808271885 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.808311939 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.812525034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.812604904 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.812863111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.812963963 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.813400984 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813410997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813450098 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.813502073 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813512087 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813519955 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813529015 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813538074 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813543081 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.813545942 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813555002 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813564062 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813570976 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.813571930 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813580990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.813606024 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.813627005 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.814007044 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814017057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814058065 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.814121008 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814130068 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814137936 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814146996 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814155102 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814165115 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814172983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814177036 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.814182043 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814189911 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814198017 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814207077 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814208031 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.814214945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.814237118 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.814273119 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.842304945 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843875885 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843885899 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843894958 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843904018 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843911886 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843919992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843928099 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843936920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843945026 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.843952894 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844156981 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844166994 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844175100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844177961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844187975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844197035 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844204903 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844213009 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844213963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844223022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844274044 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844316959 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844361067 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844405890 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844472885 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844512939 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844521999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844540119 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844548941 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844558001 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844558954 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844567060 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844575882 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844599962 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844609022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844619036 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844628096 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844635963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844644070 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844645023 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844652891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844661951 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844671011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844681025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844686985 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844688892 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844698906 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844715118 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844738960 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844747066 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844749928 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844758987 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844768047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844777107 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844784975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844793081 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844794035 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844801903 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844819069 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844827890 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844835997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844846010 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844849110 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844856024 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844863892 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.844891071 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.844958067 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845010996 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845086098 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845092058 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845096111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845103979 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845108032 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845112085 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845118046 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845122099 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845130920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845140934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845150948 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845159054 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845170975 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845171928 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845180035 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845189095 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845196962 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845206022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845206976 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845215082 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845223904 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845223904 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845232010 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845241070 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845251083 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845251083 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845259905 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845268965 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845272064 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845278025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845284939 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845288992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845299006 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845309973 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845318079 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845319033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845323086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845326900 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845330000 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845346928 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845360994 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845371962 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845376968 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845386028 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845393896 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845402956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845411062 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845419884 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845427990 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845438004 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845447063 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845453978 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845457077 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845465899 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845474005 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845488071 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845524073 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845643997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845654011 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845662117 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845670938 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.845691919 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.845711946 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.852946997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.852957964 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853060961 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853174925 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853184938 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853193998 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853197098 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853200912 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853204012 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853208065 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853238106 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853245974 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853255033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853266954 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853287935 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853312016 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853317976 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853327036 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853360891 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853400946 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853416920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853425980 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853435040 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853455067 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853462934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853480101 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853485107 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853499889 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853507996 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853509903 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853518963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853528023 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853530884 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853537083 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853547096 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853600025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853601933 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853609085 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853617907 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853626966 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.853665113 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.853698969 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.854995966 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.855005026 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.855015039 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.855024099 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.855032921 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.855072021 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.855099916 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856164932 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856175900 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856184006 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856188059 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856192112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856208086 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856218100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856236935 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856245041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856247902 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856255054 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856262922 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856271982 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856273890 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856281996 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856292009 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856300116 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856298923 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856307983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856317997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856321096 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856324911 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856333971 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856337070 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856343031 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856350899 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856359959 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856360912 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856369019 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856374025 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856384993 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856394053 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856398106 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856403112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856415033 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856420040 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856429100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856437922 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856446981 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856453896 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856458902 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856468916 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856487989 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856488943 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856498003 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856502056 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856507063 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856515884 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856530905 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856539965 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856540918 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856548071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856556892 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856564999 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856573105 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856581926 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856585979 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856590033 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856599092 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856606960 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856616020 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856623888 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856637955 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856642962 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856652021 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856652975 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856662035 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856663942 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856672049 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856681108 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.856707096 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.856722116 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.857337952 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.857350111 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.857359886 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.857367992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.857377052 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.857420921 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858011961 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858022928 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858032942 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858042955 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858051062 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858052969 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858059883 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858068943 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858077049 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858086109 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858095884 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858103037 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858103991 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858113050 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858122110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858130932 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858133078 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858139992 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858148098 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858151913 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858158112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858165979 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858175039 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858184099 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858191967 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858202934 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858215094 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.858234882 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.858269930 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860027075 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860037088 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860044956 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860049009 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860052109 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860059977 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860069036 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860078096 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860100031 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860110044 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860121012 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860130072 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860133886 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860137939 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860141993 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860145092 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860150099 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860158920 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860167980 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860196114 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860208035 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860218048 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860225916 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860234976 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860236883 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860243082 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860251904 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860251904 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860260963 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860270023 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860281944 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860290051 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860299110 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860301018 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860307932 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860316038 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860326052 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860331059 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860335112 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860342979 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860352039 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860356092 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860359907 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860372066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860379934 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860388041 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860389948 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860397100 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860403061 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860405922 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860414982 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860423088 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860433102 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860435009 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860441923 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860450983 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860460043 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860466957 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860482931 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860488892 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860500097 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860502005 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860507965 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860517025 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860527039 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860533953 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860542059 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860551119 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860558987 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860583067 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860591888 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860605001 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.860935926 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.860996008 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861087084 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861095905 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861104012 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861113071 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861155033 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861165047 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861175060 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861181974 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861191034 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861192942 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861200094 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861208916 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861217022 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861226082 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861233950 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861234903 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861243010 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861252069 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861258030 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861260891 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861268997 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861278057 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861285925 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861289978 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861293077 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861299038 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.861308098 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.861340046 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.866218090 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.866481066 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.866491079 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.866650105 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.866666079 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.866704941 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.866874933 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.866962910 CEST	15666	49705	109.107.181.162	192.168.2.9
Oct 4, 2024 15:16:24.866965055 CEST	49705	15666	192.168.2.9	109.107.181.162
Oct 4, 2024 15:16:24.867142916 CEST	49705	15666	192.168.2.9	109.107.181.162

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 15:16:19.658694029 CEST	192.168.2.9	1.1.1.1	0x378d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 15:16:19.666352987 CEST	1.1.1.1	192.168.2.9	0x378d	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:16:19.666352987 CEST	1.1.1.1	192.168.2.9	0x378d	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:16:19.666352987 CEST	1.1.1.1	192.168.2.9	0x378d	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	172.67.74.152	443	6156	C:\Users\user\Desktop\setup_run.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 13:16:20 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-10-04 13:16:20 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 13:16:20 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8cd57222bbc243b8-EWR
2024-10-04 13:16:20 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	09:16:16
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\setup_run.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup_run.exe"
Imagebase:	0x7ff650a10000
File size:	1'766'400 bytes
MD5 hash:	F9E546BB5A4898D65B61F8B3D93A1662
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:16:16
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\setup_run.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup_run.exe"
Imagebase:	0x7ff650a10000
File size:	1'766'400 bytes
MD5 hash:	F9E546BB5A4898D65B61F8B3D93A1662
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:17:15
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"
Imagebase:	0x7ff7087c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:17:15
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:17:16
Start date:	04/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 1.1.1.1 -n 1 -w 3000
Imagebase:	0x7ff611d00000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.6%
Total number of Nodes:	273
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF8E7B01690 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 193
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8E7B01710
LoadLibraryA.KERNEL32 ref: 00007FF8E7B01736
GetProcAddress.KERNEL32 ref: 00007FF8E7B01789
GetProcAddress.KERNEL32 ref: 00007FF8E7B017BA
GetProcAddress.KERNEL32 ref: 00007FF8E7B017F7
GetProcAddress.KERNEL32 ref: 00007FF8E7B0182C
GetModuleFileNameA.KERNEL32 ref: 00007FF8E7B01857
CreateProcessA.KERNELBASE ref: 00007FF8E7B01894
FreeLibrary.KERNEL32 ref: 00007FF8E7B018AA
FreeLibrary.KERNEL32 ref: 00007FF8E7B018AF
VirtualAlloc.KERNEL32 ref: 00007FF8E7B018D9
GetThreadContext.KERNEL32 ref: 00007FF8E7B018F1
VirtualAllocEx.KERNELBASE ref: 00007FF8E7B0192E
WriteProcessMemory.KERNELBASE ref: 00007FF8E7B0194D
WriteProcessMemory.KERNELBASE ref: 00007FF8E7B01998
WriteProcessMemory.KERNELBASE ref: 00007FF8E7B019C0
SetThreadContext.KERNEL32 ref: 00007FF8E7B019E7
ResumeThread.KERNEL32 ref: 00007FF8E7B019F2
WaitForSingleObject.KERNEL32 ref: 00007FF8E7B019FF

Strings

lloc, xrefs: 00007FF8E7B017C5
VirtualA, xrefs: 00007FF8E7B017D5
kernel32ntdll.dlCreatePr, xrefs: 00007FF8E7B016F9
@, xrefs: 00007FF8E7B01926

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: AddressLibraryProcProcess$MemoryThreadWrite$AllocContextFreeLoadVirtual$CreateFileModuleNameObjectResumeSingleWait
String ID: @$VirtualA$kernel32ntdll.dlCreatePr$lloc
API String ID: 4114231647-2595456714
Opcode ID: 8f029ea0af0b6cdcc6dd1127ecba04c35eabaa87f70611b312bbaf9f5290573f
Instruction ID: c75bf81705d6f1a83dd13aef2f55332c8a0dd71cc35b13f4853b0c18f79ef3eb
Opcode Fuzzy Hash: 8f029ea0af0b6cdcc6dd1127ecba04c35eabaa87f70611b312bbaf9f5290573f
Instruction Fuzzy Hash: D9916832618B8182EB648B56F8447AEB7A5FB98BC4F004125EEDD53B68DF7CD185CB01

Function 00007FF650A124B0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 301
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF650A124F0
LoadLibraryA.KERNEL32 ref: 00007FF650A12627
GetModuleHandleA.KERNELBASE ref: 00007FF650A12643
GetProcAddress.KERNEL32 ref: 00007FF650A12657
GetProcAddress.KERNEL32 ref: 00007FF650A12686
GetProcAddress.KERNEL32 ref: 00007FF650A126D3
wcslen.MSVCRT ref: 00007FF650A126F8
wcslen.MSVCRT ref: 00007FF650A12757
LdrLoadDll.NTDLL ref: 00007FF650A127F8
GetProcAddress.KERNEL32 ref: 00007FF650A12818
GetCurrentProcess.KERNEL32 ref: 00007FF650A12820

Strings

LdrUnloaExecute, xrefs: 00007FF650A1269C
basic_string::append, xrefs: 00007FF650A1298A
:a.dll, xrefs: 00007FF650A12748
dDll, xrefs: 00007FF650A12769
LdrLoadDll, xrefs: 00007FF650A1264D
ntdll.dll, xrefs: 00007FF650A12634
ringdDll, xrefs: 00007FF650A127CF

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: AddressProc$LoadModulewcslen$CurrentFileHandleLibraryNameProcess
String ID: :a.dll$LdrLoadDll$LdrUnloaExecute$basic_string::append$dDll$ntdll.dll$ringdDll
API String ID: 1847622883-2830737291
Opcode ID: 73b5bf2017dc7c5df71ce153f8624740e1d338af0706b29fe35351e0ffb6e9af
Instruction ID: 81a1e65ffafbe6834f329f6b92ff0b5c4e9b3893a43279533fdc11bfbc6efa4f
Opcode Fuzzy Hash: 73b5bf2017dc7c5df71ce153f8624740e1d338af0706b29fe35351e0ffb6e9af
Instruction Fuzzy Hash: 04C17137608B8791EA24CB56E4507AAA761FBC5BC4F488131EE8E97B9ADF3CD055C700

Function 00007FF650A11E00 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

memcpy.MSVCRT ref: 00007FF650A11E3E
wcslen.MSVCRT ref: 00007FF650A120C4

Strings

y7UkVAEe, xrefs: 00007FF650A11E53
basic_string::append, xrefs: 00007FF650A12464, 00007FF650A12470, 00007FF650A1247C

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: mallocmemcpywcslen
String ID: basic_string::append$y7UkVAEe
API String ID: 918279302-3485675714
Opcode ID: fc6dff767d0b5108a5859a4582fb60012bff74da300d820909054df24a79d096
Instruction ID: b2c8dca293f69401ceb18edec36703f5936ca8448a5248399c3ce7b0b47651ec
Opcode Fuzzy Hash: fc6dff767d0b5108a5859a4582fb60012bff74da300d820909054df24a79d096
Instruction Fuzzy Hash: 32F1E737A19A83A1DA20CBA5E4103AE7761FB85B90F888731DA5DA77D6EF3CD155C300

Function 00007FF650A11180 Relevance: 12.2, APIs: 8, Instructions: 191
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF650A111DE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF650A1124B
malloc.MSVCRT ref: 00007FF650A11312
strlen.MSVCRT ref: 00007FF650A11334
malloc.MSVCRT ref: 00007FF650A11340
memcpy.MSVCRT ref: 00007FF650A11358
GetStartupInfoA.KERNEL32 ref: 00007FF650A11443

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: 02f56bbec029d51f23834e3a73079cb737bf4528bee579ecc5a0e7da80d8e805
Instruction ID: 7f177994ce274f1010933cc97953bc824d870fab4cae35aaee98f75bc09c4fb4
Opcode Fuzzy Hash: 02f56bbec029d51f23834e3a73079cb737bf4528bee579ecc5a0e7da80d8e805
Instruction Fuzzy Hash: E2816A36E09647A6FB519B96E4907B923A1BF46B80F4C4435DA0EE7392DF3DE800C740

Function 00007FF650A54B60 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 120
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcmp.MSVCRT ref: 00007FF650A54C5F
malloc.MSVCRT ref: 00007FF650A54CE8
strtoul.MSVCRT ref: 00007FF650A54D33

Strings

glibcxx., xrefs: 00007FF650A54B93
:, xrefs: 00007FF650A54C17
obj_count, xrefs: 00007FF650A54BD3, 00007FF650A54C58
obj_size, xrefs: 00007FF650A54C31
GLIBCXX_TUNABLES, xrefs: 00007FF650A54B81
., xrefs: 00007FF650A54C2B
.eh_pool, xrefs: 00007FF650A54BA4
obj_size, xrefs: 00007FF650A54BBE
=, xrefs: 00007FF650A54C68
=, xrefs: 00007FF650A54C45

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: mallocmemcmpstrtoul
String ID: .$.eh_pool$:$=$=$GLIBCXX_TUNABLES$glibcxx.$obj_count$obj_size$obj_size
API String ID: 920383374-3633263654
Opcode ID: 6a49c943fb4a4462079c45002831cc426f180767bd56bfe962260e807522214e
Instruction ID: ce10c2fb7b33645822549f10d0e8784628c0c44ddca8afc72ab9dd57273dba3a
Opcode Fuzzy Hash: 6a49c943fb4a4462079c45002831cc426f180767bd56bfe962260e807522214e
Instruction Fuzzy Hash: 25519D37A0EA43A6FF518BA1F4403B96AA0FB85788F5C4135D94DE6396EE3DE580C300

Function 00007FF8E7B222C0 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 120
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcmp.MSVCRT ref: 00007FF8E7B223BF
malloc.MSVCRT ref: 00007FF8E7B22448
strtoul.MSVCRT ref: 00007FF8E7B22493

Strings

=, xrefs: 00007FF8E7B223A5
=, xrefs: 00007FF8E7B223C8
obj_size, xrefs: 00007FF8E7B2231E
obj_size, xrefs: 00007FF8E7B22391
obj_count, xrefs: 00007FF8E7B22333, 00007FF8E7B223B8
glibcxx., xrefs: 00007FF8E7B222F3
GLIBCXX_TUNABLES, xrefs: 00007FF8E7B222E1
.eh_pool, xrefs: 00007FF8E7B22304
:, xrefs: 00007FF8E7B22377
., xrefs: 00007FF8E7B2238B

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: mallocmemcmpstrtoul
String ID: .$.eh_pool$:$=$=$GLIBCXX_TUNABLES$glibcxx.$obj_count$obj_size$obj_size
API String ID: 920383374-3633263654
Opcode ID: 5a332e903c781fc982e7646cb44707ac431f27f5668ce2891eaba40441686165
Instruction ID: 823f39da99e4c1af35e474ab859bead50a9c49f2eec6bf3abfda16cbe4d5c3a1
Opcode Fuzzy Hash: 5a332e903c781fc982e7646cb44707ac431f27f5668ce2891eaba40441686165
Instruction Fuzzy Hash: 0151C031E0E6C689FB118B90F8413BE76D8EF987C4F954035EA6D86295EE3EE544C342

Function 00007FF8E7B011D0 Relevance: 7.7, APIs: 5, Instructions: 164
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF8E7B0128D
_amsg_exit.MSVCRT ref: 00007FF8E7B012BC

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: fa4cdccd0cc9a4bfc092056aca07d8228318a12993dcb0466b4364e0d20e8905
Instruction ID: 22f88272a8c3ff02cbadb1e35b41dd0147965a390ee0da5d486f18165aff9093
Opcode Fuzzy Hash: fa4cdccd0cc9a4bfc092056aca07d8228318a12993dcb0466b4364e0d20e8905
Instruction Fuzzy Hash: 5F517C30A0D24BCAF7189BE6D94037E72956FD6BC0F444034DE2DAB7D2EE2CA5419342

Function 00007FF650A53F30 Relevance: 2.6, APIs: 2, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF650A53F47

Part of subcall function 00007FF650A54010: malloc.MSVCRT ref: 00007FF650A5401F

malloc.MSVCRT ref: 00007FF650A53FAA

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f9fc79fd16bcaafb964f66e3b340d7e38e474c5a59071ff019fbd2d497fd9303
Instruction ID: 794321e2bd0c8684620a762d3df0783799e043e75fcb455ed8e99da365d6a69b
Opcode Fuzzy Hash: f9fc79fd16bcaafb964f66e3b340d7e38e474c5a59071ff019fbd2d497fd9303
Instruction Fuzzy Hash: 0411A377F1670362FE689BE5B5213B85291AF49790F4C4A34D91DEA3C3EE2CE4848300

Function 00007FF8E7B21C20 Relevance: 2.6, APIs: 2, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF8E7B21C37

Part of subcall function 00007FF8E7B21D00: malloc.MSVCRT ref: 00007FF8E7B21D0F

malloc.MSVCRT ref: 00007FF8E7B21C9A

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 5c9ccfee4c7606e935e0eb480a30eada8749d5be36f3775607aeed9adcfc3606
Instruction ID: f61a9555266d3cdd653711aea62f47a2f19023f5908509927f20edd33956e927
Opcode Fuzzy Hash: 5c9ccfee4c7606e935e0eb480a30eada8749d5be36f3775607aeed9adcfc3606
Instruction Fuzzy Hash: E0118E71F0B78A45FE99A7E5E5213BD22919F887D0FC45634DA3D4A3C6EE2DA4808312

Function 00007FF650A29BF0 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNEL32 ref: 00007FF650A29BF4

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: e08ad56c4f69a8d42c1ff91a8fbe35465cd7f76a2abe746ad9bb7050e3aff2c0
Instruction ID: 278230b9889a3692decc781df885bdf399bee76b98a69d58bfb242fedb6a6fa6
Opcode Fuzzy Hash: e08ad56c4f69a8d42c1ff91a8fbe35465cd7f76a2abe746ad9bb7050e3aff2c0
Instruction Fuzzy Hash: F3C04C25F29993E1E6581B635CC616111D4BB86B44FDC4470C509E1750DD1DD1E74619

Function 00007FF8E7B183A0 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNEL32 ref: 00007FF8E7B183A4

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 2403c3f680003cc6744a459c94804d2104b62cb3c3384cede454446d855f93de
Instruction ID: 2351d99fb874f6d3817e22629d20a0b693bdf10dd9585792c3ef4dae5102c65b
Opcode Fuzzy Hash: 2403c3f680003cc6744a459c94804d2104b62cb3c3384cede454446d855f93de
Instruction Fuzzy Hash: 20C04C14F5A942C3E7541BE2ACC262921947F44B91F944070D52991251DD2C91D64612

Function 00007FF8E7B1F7B0 Relevance: 1.3, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF8E7B1F808

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0c35b97ced1bec1fa693b917d1a2d0d85617581464d43c5e25326eda2600a28e
Instruction ID: 0e164faefa86be33724803a9a558cb8bbb25c5bfff134f99ee2e1a8cd00a92dc
Opcode Fuzzy Hash: 0c35b97ced1bec1fa693b917d1a2d0d85617581464d43c5e25326eda2600a28e
Instruction Fuzzy Hash: 39F0B422F1B29645FE151AB1E5043BD6210AFD0BD0F088531DE6C16785DF6CE4E2C302

Non-executed Functions

Function 00007FF650A3CB70 Relevance: 79.1, APIs: 47, Strings: 4, Instructions: 2617stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3CC05
memcpy.MSVCRT ref: 00007FF650A3CCA9
strlen.MSVCRT ref: 00007FF650A3CDEE
memcpy.MSVCRT ref: 00007FF650A3CE70

Strings

basic_string::replace, xrefs: 00007FF650A3CD7E, 00007FF650A3CD8D, 00007FF650A3CFEF, 00007FF650A3CFFE, 00007FF650A3D24E, 00007FF650A3D25D, 00007FF650A3D4AE, 00007FF650A3D4BD, 00007FF650A3D711, 00007FF650A3D720, 00007FF650A3D96E, 00007FF650A3D97D, 00007FF650A3DBCE, 00007FF650A3DBDD, 00007FF650A3DE31, 00007FF650A3DE40, 00007FF650A3E36D, 00007FF650A3E37C, 00007FF650A3E5BE, 00007FF650A3E5CD, 00007FF650A3E811, 00007FF650A3E820, 00007FF650A3EAB0, 00007FF650A3EAC3, 00007FF650A3EAD2, 00007FF650A3EDD7
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3CD94, 00007FF650A3D005, 00007FF650A3D264, 00007FF650A3D4C4, 00007FF650A3D727, 00007FF650A3D984, 00007FF650A3DBE4, 00007FF650A3DE47, 00007FF650A3E383, 00007FF650A3E5D4, 00007FF650A3E827, 00007FF650A3EAB7, 00007FF650A3EAD9, 00007FF650A3EDDE
basic_string::_M_replace_aux, xrefs: 00007FF650A3E151, 00007FF650A3EDC5
basic_string::_S_create, xrefs: 00007FF650A3E145, 00007FF650A3EDEA, 00007FF650A3EF23

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::_S_create$basic_string::replace
API String ID: 2619041689-978392061
Opcode ID: ad347a581c51219f3ebd1fe922085dfa7ebf9c69cbca82f9903a275e60e2c978
Instruction ID: faa213ee2f43fee7f32c302ba999b05d4bc1a53211d1aa77cd698755e51695d3
Opcode Fuzzy Hash: ad347a581c51219f3ebd1fe922085dfa7ebf9c69cbca82f9903a275e60e2c978
Instruction Fuzzy Hash: F013F373B09687A5EA109FA6E8446F96750AF09BD4F8C4132EE1DAB7D7DE2CE541C300

Function 00007FF650A3A9F0 Relevance: 77.0, APIs: 45, Strings: 5, Instructions: 2031COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3AB7A
memcpy.MSVCRT ref: 00007FF650A3AE2A

Strings

basic_string::assign, xrefs: 00007FF650A3ACA0, 00007FF650A3ACB6, 00007FF650A3AF70
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3ACAF, 00007FF650A3B55A, 00007FF650A3BCAE, 00007FF650A3C100, 00007FF650A3C2E8, 00007FF650A3C4D7, 00007FF650A3C4ED, 00007FF650A3C7E5
basic_string::_M_replace_aux, xrefs: 00007FF650A3B10E, 00007FF650A3B7E5, 00007FF650A3BADC, 00007FF650A3C7CC
basic_string::_S_create, xrefs: 00007FF650A3B566, 00007FF650A3B7F1, 00007FF650A3BAE8, 00007FF650A3C10C, 00007FF650A3C7F1
basic_string::insert, xrefs: 00007FF650A3B553, 00007FF650A3B572, 00007FF650A3BC98, 00007FF650A3BCA7, 00007FF650A3C0F9, 00007FF650A3C118, 00007FF650A3C2D2, 00007FF650A3C2E1, 00007FF650A3C4C1, 00007FF650A3C4D0, 00007FF650A3C4E6, 00007FF650A3C7DE

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::_S_create$basic_string::assign$basic_string::insert
API String ID: 3510742995-982419628
Opcode ID: 3fb3654419f22eb41f902027822ad6c65d4425b4dd7f10748506ba9397f60741
Instruction ID: 026f9f2a0767619a5ca21d7e63cfa555931e102d155c71449775b16ea9854115
Opcode Fuzzy Hash: 3fb3654419f22eb41f902027822ad6c65d4425b4dd7f10748506ba9397f60741
Instruction Fuzzy Hash: 68F2EE73B19693A6EE108FA5D8442F86352AB09BD8F5C4632DF1DA77D6DE2CE581C300

Function 00007FF650A461B0 Relevance: 52.4, APIs: 27, Strings: 7, Instructions: 1384stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A461C0
memcpy.MSVCRT ref: 00007FF650A46209
memcpy.MSVCRT ref: 00007FF650A462E9

Strings

basic_string::insert, xrefs: 00007FF650A47338, 00007FF650A4746A
basic_string::assign, xrefs: 00007FF650A4658A
basic_string::_M_replace, xrefs: 00007FF650A4628A, 00007FF650A4636A, 00007FF650A4657B, 00007FF650A469C3, 00007FF650A46D13, 00007FF650A46E95, 00007FF650A47015, 00007FF650A47195, 00007FF650A4734B
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A46591, 00007FF650A469B7, 00007FF650A46D07, 00007FF650A46E89, 00007FF650A47009, 00007FF650A47189, 00007FF650A47329, 00007FF650A4733F, 00007FF650A47460
basic_string::replace, xrefs: 00007FF650A469B0, 00007FF650A46D00, 00007FF650A46E82, 00007FF650A47002, 00007FF650A47182, 00007FF650A47322
basic_string::_M_replace_aux, xrefs: 00007FF650A46837, 00007FF650A46A9E, 00007FF650A46B9A, 00007FF650A47476
basic_string::_M_create, xrefs: 00007FF650A4648C, 00007FF650A4678F

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::_M_replace$basic_string::_M_replace_aux$basic_string::assign$basic_string::insert$basic_string::replace
API String ID: 2619041689-3257055785
Opcode ID: 6597908d0564716c34a933cd06f107a6d212fef4fb1283043b682b0cbbd5743d
Instruction ID: f63c3c7a0e4bc12ff9c65df1d9eb841540df447b6e32331e134dd224f2508060
Opcode Fuzzy Hash: 6597908d0564716c34a933cd06f107a6d212fef4fb1283043b682b0cbbd5743d
Instruction Fuzzy Hash: 0FA2F577B09A93B1EB218BA5D5501BD6360AB85FD8F4C4132DE9DA7787DE2CE442C301

Function 00007FF650A4E690 Relevance: 51.2, APIs: 29, Strings: 4, Instructions: 1693COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A4E744
memcpy.MSVCRT ref: 00007FF650A4E761
memcpy.MSVCRT ref: 00007FF650A4E8D4
memcpy.MSVCRT ref: 00007FF650A4E8F1

Strings

basic_string::replace, xrefs: 00007FF650A4E812, 00007FF650A4E9A2, 00007FF650A4EB23, 00007FF650A4ECB4, 00007FF650A4EE52, 00007FF650A4EFD3, 00007FF650A4F162, 00007FF650A4F2E3, 00007FF650A4F63D, 00007FF650A4F7C3, 00007FF650A4F933, 00007FF650A4FAD3, 00007FF650A4FAE5, 00007FF650A4FCEE
basic_string::_M_replace_aux, xrefs: 00007FF650A4F4BB, 00007FF650A4FCDC
basic_string::_M_replace, xrefs: 00007FF650A4E7FC, 00007FF650A4E98C, 00007FF650A4EB0D, 00007FF650A4EC9E, 00007FF650A4EE3C, 00007FF650A4EFBD, 00007FF650A4F14C, 00007FF650A4F2CD, 00007FF650A4F62E, 00007FF650A4F7AD, 00007FF650A4F91D, 00007FF650A4FABD
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A4E80B, 00007FF650A4E99B, 00007FF650A4EB1C, 00007FF650A4ECAD, 00007FF650A4EE4B, 00007FF650A4EFCC, 00007FF650A4F15B, 00007FF650A4F2DC, 00007FF650A4F644, 00007FF650A4F7BC, 00007FF650A4F92C, 00007FF650A4FACC, 00007FF650A4FAEC, 00007FF650A4FCF5

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace$basic_string::_M_replace_aux$basic_string::replace
API String ID: 3510742995-861133903
Opcode ID: 77bffc9c44677dd885895164bea7c836fb91486146dd5c80afc9853afd0d72bb
Instruction ID: 996bea92f76af674c01c37f31e1e750298a824d83d4d4384795ac8fc82e5384e
Opcode Fuzzy Hash: 77bffc9c44677dd885895164bea7c836fb91486146dd5c80afc9853afd0d72bb
Instruction Fuzzy Hash: DCC2F17BB09A87B5EA208FA5E8014B96351EB45BD4F8C5232DE9DA73D6DE3CE541C300

Function 00007FF650A4CD40 Relevance: 48.1, APIs: 24, Strings: 7, Instructions: 1567COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A4CD50
memcpy.MSVCRT ref: 00007FF650A4CD9D
memcpy.MSVCRT ref: 00007FF650A4CE93

Strings

basic_string::_M_create, xrefs: 00007FF650A4D03D, 00007FF650A4D344
basic_string::replace, xrefs: 00007FF650A4D6C0, 00007FF650A4DAF5, 00007FF650A4DC88, 00007FF650A4DE0F, 00007FF650A4DF87, 00007FF650A4E12F
basic_string::_M_replace_aux, xrefs: 00007FF650A4D51E, 00007FF650A4D7A9, 00007FF650A4D98F, 00007FF650A4E32F
basic_string::assign, xrefs: 00007FF650A4D148
basic_string::_M_replace, xrefs: 00007FF650A4CE2B, 00007FF650A4CF09, 00007FF650A4D139, 00007FF650A4D6CC, 00007FF650A4DB01, 00007FF650A4DC9B, 00007FF650A4DE1B, 00007FF650A4DF93, 00007FF650A4E151
basic_string::insert, xrefs: 00007FF650A4E13E, 00007FF650A4E348
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A4D14F, 00007FF650A4D6B9, 00007FF650A4DAEE, 00007FF650A4DC8F, 00007FF650A4DE08, 00007FF650A4DF80, 00007FF650A4E128, 00007FF650A4E145, 00007FF650A4E33E

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$wcslen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::_M_replace$basic_string::_M_replace_aux$basic_string::assign$basic_string::insert$basic_string::replace
API String ID: 1844840824-3257055785
Opcode ID: 4430c1d49038f62544e5d55a1b648353797ab09431bb0f562d28308367f00175
Instruction ID: 1cef47d5e34b7f0dd503594fe1e0db16d762a0533abe64ac45dcc5d373702a2a
Opcode Fuzzy Hash: 4430c1d49038f62544e5d55a1b648353797ab09431bb0f562d28308367f00175
Instruction Fuzzy Hash: 71C2D177B19A83B1EA208FA5D4405B96361EB45BD4F8C8232EE9DA7796DF3CE541C300

Function 00007FF650A52740 Relevance: 45.0, APIs: 24, Strings: 5, Instructions: 1521stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A52765
memcpy.MSVCRT ref: 00007FF650A5286D
memcpy.MSVCRT ref: 00007FF650A528CC
memcpy.MSVCRT ref: 00007FF650A52B75

Part of subcall function 00007FF650A49050: memcpy.MSVCRT ref: 00007FF650A490F0
Part of subcall function 00007FF650A49050: memcpy.MSVCRT ref: 00007FF650A49124

Strings

basic_string::_M_create, xrefs: 00007FF650A539CD, 00007FF650A53C6C, 00007FF650A53ED6
basic_string::append, xrefs: 00007FF650A531C5, 00007FF650A531D1, 00007FF650A53485, 00007FF650A53491, 00007FF650A53709, 00007FF650A53715
basic_string::append, xrefs: 00007FF650A529AE, 00007FF650A529D2, 00007FF650A52C65, 00007FF650A52C89, 00007FF650A52F0B, 00007FF650A52F17
basic_string::append, xrefs: 00007FF650A539B5, 00007FF650A539C1, 00007FF650A53C54, 00007FF650A53C60, 00007FF650A53ECA, 00007FF650A53EFA
basic_string::_M_create, xrefs: 00007FF650A529A2, 00007FF650A52C59, 00007FF650A52EE7

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::_M_create$basic_string::_M_create$basic_string::append$basic_string::append$basic_string::append
API String ID: 2619041689-2020352992
Opcode ID: 642a0b9ae0c68a5c8d628f6ece2f36a97626f9bbead64cbc7655f63a29d18d03
Instruction ID: 4e54a05cc72177f8ab953c94be031b8045c6f9d39fff453d546ccae2712110f0
Opcode Fuzzy Hash: 642a0b9ae0c68a5c8d628f6ece2f36a97626f9bbead64cbc7655f63a29d18d03
Instruction Fuzzy Hash: FCC2AF3BB09A87A1EE209FA5E40427D6361BB45B98F4C8532EE1DA77D6DE3CE445C340

Function 00007FF650A3881E Relevance: 18.5, APIs: 9, Strings: 3, Instructions: 513COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A38911
memcpy.MSVCRT ref: 00007FF650A38939

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

memset.MSVCRT ref: 00007FF650A3898D
memcpy.MSVCRT ref: 00007FF650A389E6
memcpy.MSVCRT ref: 00007FF650A38BC9
memcpy.MSVCRT ref: 00007FF650A38BF7
memcpy.MSVCRT ref: 00007FF650A38C50

Strings

basic_string::_M_replace_aux, xrefs: 00007FF650A38AF0
basic_string::_S_create, xrefs: 00007FF650A38AE4, 00007FF650A38DBD, 00007FF650A38E9F
basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 00007FF650A38F2C

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$mallocmemset
String ID: basic_string::_M_replace_aux$basic_string::_S_create$basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 368144878-3359409074
Opcode ID: 9acc31bb879f4c36085e4c3c27a8c1445f61703c4c097d474a5ad37bfd968003
Instruction ID: b1ae7363d1ea0af8b88beb5e55e09dd3323f4b37bce461077c51428d5b278c09
Opcode Fuzzy Hash: 9acc31bb879f4c36085e4c3c27a8c1445f61703c4c097d474a5ad37bfd968003
Instruction Fuzzy Hash: 7712B073B0A743AAEA208F66D4402FD6761AB49B94F4C4636DE5DA73D6DE3CE484C340

Function 00007FF650A2C710 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 542COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF650A2C961
fputc.MSVCRT ref: 00007FF650A2CBE9
fputc.MSVCRT ref: 00007FF650A2CD28

Strings

., xrefs: 00007FF650A2CB69

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: f2335e7aae4a5d6319f253de6a1438e5547aa12490883e51a64923facd17ed70
Instruction ID: 7caa64b3ce54c49aa18825e40145768571ec17cf4b86231050e38acff178bd8d
Opcode Fuzzy Hash: f2335e7aae4a5d6319f253de6a1438e5547aa12490883e51a64923facd17ed70
Instruction Fuzzy Hash: 3222A573A1864396F7688F66D85077937A2EB44B48F1D9235CA0DE778ACE3DE940CB40

Function 00007FF8E7B1AED0 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 542COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF8E7B1B121
fputc.MSVCRT ref: 00007FF8E7B1B3A9
fputc.MSVCRT ref: 00007FF8E7B1B4E8

Strings

., xrefs: 00007FF8E7B1B329

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: d39005f12024fb3bc23f412d7ac4ffb7e71369ea58af91583f7d31a02580f966
Instruction ID: d7cec204b653337e6a5184440c7dc5843eceb9d0219045ec150c87e47cefc216
Opcode Fuzzy Hash: d39005f12024fb3bc23f412d7ac4ffb7e71369ea58af91583f7d31a02580f966
Instruction Fuzzy Hash: 3222D973A192468AE7298F65D05077E77A2EB98BC8F158135DA2D477C8DB3DEC00C742

Function 00007FF650A24220 Relevance: 15.7, APIs: 4, Strings: 6, Instructions: 698stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF650A24261
strlen.MSVCRT ref: 00007FF650A2436E

Strings

Z, xrefs: 00007FF650A2442E
Z, xrefs: 00007FF650A242C7
_, xrefs: 00007FF650A242BD
_, xrefs: 00007FF650A24632
_GLOBAL_, xrefs: 00007FF650A24257
_, xrefs: 00007FF650A24421

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: de67cd54f0d5c1e7e52df8fbd8c50eff78b9b61c3f7bc7ad141975b83d845251
Instruction ID: 799624b20c447fe1c0a866900b9de7dc890b8882dd9926f242665b57b2a774d2
Opcode Fuzzy Hash: de67cd54f0d5c1e7e52df8fbd8c50eff78b9b61c3f7bc7ad141975b83d845251
Instruction Fuzzy Hash: D762A173A09683AAF7648EB6C8543FD36A1FB05788F584035DE19ABB86DF39D941C700

Function 00007FF8E7B12CF0 Relevance: 15.7, APIs: 4, Strings: 6, Instructions: 698stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF8E7B12D31
strlen.MSVCRT ref: 00007FF8E7B12E3E

Strings

_, xrefs: 00007FF8E7B13102
_GLOBAL_, xrefs: 00007FF8E7B12D27
_, xrefs: 00007FF8E7B12D8D
Z, xrefs: 00007FF8E7B12D97
Z, xrefs: 00007FF8E7B12EFE
_, xrefs: 00007FF8E7B12EF1

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: 63d13f81488defea6193c4730907306bfe67195dde6e0b4718243abcb2fb856b
Instruction ID: 8ec85071caf8b4d6049230aeb54b4674640b511d98dcd77f3e857c4c29c22d85
Opcode Fuzzy Hash: 63d13f81488defea6193c4730907306bfe67195dde6e0b4718243abcb2fb856b
Instruction Fuzzy Hash: 5462C172A086828AFB658EA5D4543FD37A0FB857C8F144035DA2E0BB85EF3DDA45C742

Function 00007FF650A4C700 Relevance: 15.5, APIs: 7, Strings: 3, Instructions: 481COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A4C710
memcpy.MSVCRT ref: 00007FF650A4C75E
memcpy.MSVCRT ref: 00007FF650A4C81E

Strings

basic_string::_M_replace_aux, xrefs: 00007FF650A4CC50
basic_string::append, xrefs: 00007FF650A4C7B8, 00007FF650A4C878, 00007FF650A4C929, 00007FF650A4CA0D, 00007FF650A4CA20, 00007FF650A4CAC9
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A4CA14

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$wcslen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::append
API String ID: 1844840824-2502837630
Opcode ID: 5726786ff597dbe7ed00c72fad8f8f6611503ae7ab9d10e2ab9ea3e0c90c808d
Instruction ID: 8b70e66937f4ac417ee0fa5c16ff528841acc9397ab8572d9147d9de8c659f41
Opcode Fuzzy Hash: 5726786ff597dbe7ed00c72fad8f8f6611503ae7ab9d10e2ab9ea3e0c90c808d
Instruction Fuzzy Hash: 8EF1BE77A09B57B1EA508FA5D4401B86361EB45F94B9C8632DE9DA73D2EF3CE482C340

Function 00007FF650A4A250 Relevance: 15.4, APIs: 6, Strings: 4, Instructions: 387COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A4A2D2

Strings

basic_string::basic_string, xrefs: 00007FF650A4A469, 00007FF650A4A539
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A4A470, 00007FF650A4A540, 00007FF650A4A610
string::string, xrefs: 00007FF650A4A609
basic_string::_M_create, xrefs: 00007FF650A4A2EA, 00007FF650A4A39A, 00007FF650A4A45A, 00007FF650A4A52A, 00007FF650A4A5FA, 00007FF650A4A6BA

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: f9561b54137bed5e2290b107386d817ba6bc8ae73c0a4b99f2edf06160560d97
Instruction ID: f5c4efe6aa4f157ba7e1ec7eb3c3497c4dfb05c158a28b7f724961abe52d55ca
Opcode Fuzzy Hash: f9561b54137bed5e2290b107386d817ba6bc8ae73c0a4b99f2edf06160560d97
Instruction Fuzzy Hash: 1EC1D777A09A82A5EB128F65F4802ACB760E765B98F4C8131CF9D97796DE3CD5D2C300

Function 00007FF650A49730 Relevance: 15.4, APIs: 6, Strings: 4, Instructions: 387COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A497B2

Strings

basic_string::basic_string, xrefs: 00007FF650A49949, 00007FF650A49A19
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A49950, 00007FF650A49A20, 00007FF650A49AF0
string::string, xrefs: 00007FF650A49AE9
basic_string::_M_create, xrefs: 00007FF650A497CA, 00007FF650A4987A, 00007FF650A4993A, 00007FF650A49A0A, 00007FF650A49ADA, 00007FF650A49B9A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: d5979409dbc0b0a88eb28cc7d5e6714f6cc43b7faaa5e49ab3fd699f1dd425c1
Instruction ID: 98bfc75703510b4e5bb0a4a74098bd0070a3750d8f93e42dfc2678e20added10
Opcode Fuzzy Hash: d5979409dbc0b0a88eb28cc7d5e6714f6cc43b7faaa5e49ab3fd699f1dd425c1
Instruction Fuzzy Hash: E7C1D777A09A82A5EB225F65F4802E8B660E715B98F4C8131CF9D97796DE3CD9D3C300

Function 00007FF650A50A70 Relevance: 15.4, APIs: 6, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A50AF8

Strings

basic_string::_M_create, xrefs: 00007FF650A50B02, 00007FF650A50BA2, 00007FF650A50C52, 00007FF650A50D2A, 00007FF650A50DFA, 00007FF650A50EB2
basic_string::basic_string, xrefs: 00007FF650A50C61, 00007FF650A50D40
string::string, xrefs: 00007FF650A50E10
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A50C68, 00007FF650A50D39, 00007FF650A50E09

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: e316af2f793b7d33bc1d4bb5bc66ceff962d6734e10f4cb33afc806da87190f1
Instruction ID: 57089fa483fc6bf096947e8cd0bb6a046b82fe864c5541e4c4f2de8ff42101ad
Opcode Fuzzy Hash: e316af2f793b7d33bc1d4bb5bc66ceff962d6734e10f4cb33afc806da87190f1
Instruction Fuzzy Hash: 4AC1B037A05643A5EE259FA5E8404B97360BB05BE4F5C4632DE6D977D6EE3CE482C300

Function 00007FF650A515F0 Relevance: 15.4, APIs: 6, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A51678

Strings

basic_string::_M_create, xrefs: 00007FF650A51682, 00007FF650A51722, 00007FF650A517D2, 00007FF650A518AA, 00007FF650A5197A, 00007FF650A51A32
basic_string::basic_string, xrefs: 00007FF650A517E1, 00007FF650A518C0
string::string, xrefs: 00007FF650A51990
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A517E8, 00007FF650A518B9, 00007FF650A51989

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: b97e0c47007e84956c0877af1a779d18a511d936b347d5b8fdbeec243bdee94e
Instruction ID: 6b8f79e7a889ac266a033df807274c096e81432dafd407dc888f34f3bd67436e
Opcode Fuzzy Hash: b97e0c47007e84956c0877af1a779d18a511d936b347d5b8fdbeec243bdee94e
Instruction Fuzzy Hash: C3C19037A05643B5EE259F65E8400B8A360BB05BE4F5C4632EE6D977D6EE3CE586C300

Function 00007FF650A30D70 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF650A30D80
GetProcAddress.KERNEL32 ref: 00007FF650A30D97
LoadLibraryW.KERNEL32 ref: 00007FF650A30DBF
GetProcAddress.KERNEL32 ref: 00007FF650A30DCF

Strings

SystemFunction036, xrefs: 00007FF650A30DC5
advapi32.dll, xrefs: 00007FF650A30DB8
msvcrt.dll, xrefs: 00007FF650A30D79
rand_s, xrefs: 00007FF650A30D8D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 3cddb3a2635239156a5bab0903d121020f4bf08e224885fbcd19eca981a7a39b
Instruction ID: 4b187b97d1c37faa22ec880ca1521f52128b25107d210956ad36dd80d38ca069
Opcode Fuzzy Hash: 3cddb3a2635239156a5bab0903d121020f4bf08e224885fbcd19eca981a7a39b
Instruction Fuzzy Hash: 15F01D21E5AA07F2EE059B91FCE04B427A4BF4A794B4C0532CC0EB6360EE2DE446C350

Function 00007FF650A3A3B0 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 336stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A3A3C1
memcpy.MSVCRT ref: 00007FF650A3A4B2
memcpy.MSVCRT ref: 00007FF650A3A51A
memcpy.MSVCRT ref: 00007FF650A3A7CA

Strings

basic_string::assign, xrefs: 00007FF650A3A660, 00007FF650A3A910

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::assign
API String ID: 2619041689-2385367300
Opcode ID: 33be3c84a5e8c55ba64ea6511b8cd3aea9e620432794035fffeaff630c844bd4
Instruction ID: f1ea9be9eeae27bdb6ea2854435844b271240523de0deb60771515c4e53ae560
Opcode Fuzzy Hash: 33be3c84a5e8c55ba64ea6511b8cd3aea9e620432794035fffeaff630c844bd4
Instruction Fuzzy Hash: 9FD1B233B09667A5EE118F59D0842FC6760AB69B94F5C4532CF1DA77DADF2DE8828300

Function 00007FF650A4AE40 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 264stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A4AE50
memcpy.MSVCRT ref: 00007FF650A4AE98
memcpy.MSVCRT ref: 00007FF650A4AF50

Strings

basic_string::append, xrefs: 00007FF650A4AEEA, 00007FF650A4AF9B, 00007FF650A4B04B
basic_string::_M_create, xrefs: 00007FF650A4B170

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::_M_create$basic_string::append
API String ID: 2619041689-3923985592
Opcode ID: 8ddfacf99ab984d79040ce783a34ce513ab25da3cf743b6d395fd072a9e2d9a9
Instruction ID: 9914f97295d95a4d0da11bb81f7eb40a40e0cde385bc5aef64c08faa9461db54
Opcode Fuzzy Hash: 8ddfacf99ab984d79040ce783a34ce513ab25da3cf743b6d395fd072a9e2d9a9
Instruction Fuzzy Hash: 8291D477B19A97B1EF108A65D4102B96321AB55F98F8C8532DEADA73C7DE2DE442C300

Function 00007FF650A129E0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 44stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF650A12A4D
strcmp.MSVCRT ref: 00007FF650A12A77

Strings

VBox, xrefs: 00007FF650A12A65
t Hv, xrefs: 00007FF650A12A3B
VMwareVMMicrosofVBoxVBox, xrefs: 00007FF650A129EC
ware, xrefs: 00007FF650A12A16

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strcmp
String ID: VBox$VMwareVMMicrosofVBoxVBox$t Hv$ware
API String ID: 1004003707-3138586379
Opcode ID: 37b597a5689494ed26fb4dc04e1f2368f416c8d10741643781c684460306bb89
Instruction ID: 4b5992923ab4acb051f81fb93047a873270492670f9135ce4f97ac7e7109e1d9
Opcode Fuzzy Hash: 37b597a5689494ed26fb4dc04e1f2368f416c8d10741643781c684460306bb89
Instruction Fuzzy Hash: 32113D72A1C78796EB208B55E48035ABBA0FB85784F0C0135EA8D86B59EF7DD154CF04

Function 00007FF650A2DDF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1533COMMON

Download Yara Rule

Strings

, xrefs: 00007FF650A2F8DE
, xrefs: 00007FF650A2F573
NaN, xrefs: 00007FF650A2E131
Infinity, xrefs: 00007FF650A2E1C0

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 6dd44949b3ed188a193b1039b318fc06643e791fb88510f01d96adc3b2bee92f
Instruction ID: 42dc3da66a1aebafa8593fb9c54ecccc1d87eaba82f91bad831c51358d1a6a4e
Opcode Fuzzy Hash: 6dd44949b3ed188a193b1039b318fc06643e791fb88510f01d96adc3b2bee92f
Instruction Fuzzy Hash: 42E29433A0C6839BE725CF66E84136AB791FB85784F184135EA49A7B96DF3DE4418F00

Function 00007FF8E7B1C5B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1533COMMON

Download Yara Rule

Strings

NaN, xrefs: 00007FF8E7B1C8F1
Infinity, xrefs: 00007FF8E7B1C980
, xrefs: 00007FF8E7B1E09E
, xrefs: 00007FF8E7B1DD33

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: e29387f2615a8604735f1304234b78629540e37ec92509e9e94c7aeb374f1150
Instruction ID: 1521f25f8080ec42e3fb015aac1c0d8fea5c7e7b6d66d23ab260865697db32df
Opcode Fuzzy Hash: e29387f2615a8604735f1304234b78629540e37ec92509e9e94c7aeb374f1150
Instruction Fuzzy Hash: ABE2A672A1C6818AE725CF69E00436EBBA1FBC57C4F144135EA9987B99DB3DE441CF01

Function 00007FF650A12BB4 Relevance: 7.7, APIs: 5, Instructions: 245processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650A2A0A0: RtlCaptureContext.KERNEL32 ref: 00007FF650A2A11E
Part of subcall function 00007FF650A2A0A0: RtlUnwindEx.KERNEL32 ref: 00007FF650A2A13C
Part of subcall function 00007FF650A2A0A0: abort.MSVCRT ref: 00007FF650A2A142

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF650A12DD4
Process32First.KERNEL32 ref: 00007FF650A12DFF
MultiByteToWideChar.KERNEL32 ref: 00007FF650A12E75
MultiByteToWideChar.KERNEL32 ref: 00007FF650A12EA9

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: ByteCharMultiWide$CaptureContextCreateFirstProcess32SnapshotToolhelp32Unwindabort
String ID:
API String ID: 3731711962-0
Opcode ID: a07ec6b41b8bfde8ab265026ccf2d0eb5a7eb21344be689f0646cb224e3cd7d7
Instruction ID: 5db3601c1086dec5664670791f720d89b52af0eefb21c2415726f1d0164c468b
Opcode Fuzzy Hash: a07ec6b41b8bfde8ab265026ccf2d0eb5a7eb21344be689f0646cb224e3cd7d7
Instruction Fuzzy Hash: 44A10333A0868351DA209BA5E4102BEA7A1FF85B90F4C8335EE5DA37D6EF2CD4658700

Function 00007FF650A412A0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 222stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A412B1
memcpy.MSVCRT ref: 00007FF650A413A2
memcpy.MSVCRT ref: 00007FF650A4140A

Strings

basic_string::assign, xrefs: 00007FF650A41550

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::assign
API String ID: 2619041689-2385367300
Opcode ID: 824c0f1de1c3f10338e5efd760fb8b621a617974b0f669c98ea53029e00b8e7a
Instruction ID: a19ab5c418b2bb15ed6b2ba13ca0b14f071aa58aafe4b31ac5c2ad82e4f38251
Opcode Fuzzy Hash: 824c0f1de1c3f10338e5efd760fb8b621a617974b0f669c98ea53029e00b8e7a
Instruction Fuzzy Hash: 5191A37BB09657B6EE118F5AD4402BC6760AB45B98F9C4531CB4EA77D2EF2CE881C340

Function 00007FF650A291F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF650A29215

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 5b4558dc0b14a29d94faa6f26a699a1a020ba34987c3d39b1551dcd82f0197bb
Instruction ID: ee02ba75c6f2017fa2944a0bd5492e6c293bae28d84bf4a563b860aa0fa2c2e3
Opcode Fuzzy Hash: 5b4558dc0b14a29d94faa6f26a699a1a020ba34987c3d39b1551dcd82f0197bb
Instruction Fuzzy Hash: F6218933E0D103B6FE6892E688503F831819F9AB50F9C4936C91DE63D7DD1DE8818305

Function 00007FF650A41630 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A41722
memcpy.MSVCRT ref: 00007FF650A4178A

Strings

basic_string::assign, xrefs: 00007FF650A418D0

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: basic_string::assign
API String ID: 3510742995-2385367300
Opcode ID: 38d2025bd9f841618dfc88e1d3291f0677eb03729608cdf29431157117b58588
Instruction ID: 0d9593b5442ae41b07a16859e06253dc66864d3bd41c2fdb9119e6cf181c4be3
Opcode Fuzzy Hash: 38d2025bd9f841618dfc88e1d3291f0677eb03729608cdf29431157117b58588
Instruction Fuzzy Hash: A6A1CE3BB09647A5EE218F59E14477CA761AB41B98F9C4131CF8DA7792DF2DE880C740

Function 00007FF650A3F160 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3F2E6

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3F354
basic_string::_S_create, xrefs: 00007FF650A3F360
basic_string::erase, xrefs: 00007FF650A3F34D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: mallocmemcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_create$basic_string::erase
API String ID: 4276657696-874136391
Opcode ID: d9868581179df336c8d7b0f943e4eb259893e80005fd116112d0dfabd90edca6
Instruction ID: 84501b94077881e3e6db77355c2a83787bcab8f1b028ceed2995d2b8082cd05f
Opcode Fuzzy Hash: d9868581179df336c8d7b0f943e4eb259893e80005fd116112d0dfabd90edca6
Instruction Fuzzy Hash: 9351B273B19603A2FE008B94D4452FD6751AB49BA8F8C4632DA2D973D6DF6CD445C340

Function 00007FF650A4E380 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 212COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A4E3FE

Strings

basic_string::_M_replace_aux, xrefs: 00007FF650A4E457, 00007FF650A4E608

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_M_replace_aux
API String ID: 2221118986-2536181960
Opcode ID: 1a403599859ca1899f855ff9512b7a7dfc7b4e5b2654c0c6726e7655f74d281a
Instruction ID: c5a2cf14a4efd804c00b0bb504e90399baed576048cb26c3cdca4e30825de018
Opcode Fuzzy Hash: 1a403599859ca1899f855ff9512b7a7dfc7b4e5b2654c0c6726e7655f74d281a
Instruction Fuzzy Hash: 74512777B19652B5EA11CFA9D4044BD6361AB01BE4F9C8731DA6CA77E2EF39E442C300

Function 00007FF650A49250 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A4931D

Strings

basic_string::_M_create, xrefs: 00007FF650A49360

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: 1526b098f5c54defdeafe3e140b4236d86ea297812fa3ff0e8b03ebd585d1a9d
Instruction ID: c24c28f6bb44e80dd11eb10bc9f8f9672174e60d40fa22a4a291d689304e096e
Opcode Fuzzy Hash: 1526b098f5c54defdeafe3e140b4236d86ea297812fa3ff0e8b03ebd585d1a9d
Instruction Fuzzy Hash: A051D477A09A82B1DB19CF55D4002BD7761BB4AB94F588636CE6E973D6CF38E451C300

Function 00007FF650A309D0 Relevance: 2.6, APIs: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650A2FB60: Sleep.KERNEL32(00000001,?,00000000,00007FF650A2FEEE), ref: 00007FF650A2FB95

malloc.MSVCRT ref: 00007FF650A30AFE
LeaveCriticalSection.KERNEL32 ref: 00007FF650A30B30

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID:
API String ID: 1993596536-0
Opcode ID: 2c36061d1760b51322d7b515d591171073cd59cacb9d64a07b8c3b57f11c525d
Instruction ID: 562d25c864b299d2a1d0890de024d5b6d4de350e0d1e5730110c38efaa171cda
Opcode Fuzzy Hash: 2c36061d1760b51322d7b515d591171073cd59cacb9d64a07b8c3b57f11c525d
Instruction Fuzzy Hash: 615107B2E1820386EB5C4F55F464F7A3A51FBA4784F499138CA0967BD1CE3DD641CB40

Function 00007FF8E7B1F190 Relevance: 2.6, APIs: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8E7B1E320: Sleep.KERNEL32(00000001,?,00000000,00007FF8E7B1E6AE), ref: 00007FF8E7B1E355

malloc.MSVCRT ref: 00007FF8E7B1F2BE
LeaveCriticalSection.KERNEL32 ref: 00007FF8E7B1F2F0

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID:
API String ID: 1993596536-0
Opcode ID: 6399a656ab116061ad14ceb5f3512d172d916b2186e21018828a1aad1d3fc565
Instruction ID: a7050c19406f874715aa0778a53577314b73a74f267e78e816eefeea43fe199e
Opcode Fuzzy Hash: 6399a656ab116061ad14ceb5f3512d172d916b2186e21018828a1aad1d3fc565
Instruction Fuzzy Hash: 9F51D3B1A192428AE72D8F55F404B7E3A91EBE07C4F519239DA1E0BB94CB3DD641CB81

Function 00007FF650A31FC0 Relevance: 2.1, APIs: 1, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a789a7e1906a6075df58b085b7bca922bf40180320497dae8d1e5630d7266773
Instruction ID: 7187f13808dd8d0b8912156aef44a28aa5ec1318641a6dcca90e1cdae0d3c10b
Opcode Fuzzy Hash: a789a7e1906a6075df58b085b7bca922bf40180320497dae8d1e5630d7266773
Instruction Fuzzy Hash: AC328333A0DBC7A5EA748A95A4413FEA790FB89784F0C4135EA8DA7797EE3CD5409700

Function 00007FF8E7B20750 Relevance: 2.1, APIs: 1, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75202502c96c6c6311f8483e592c34ccd1763e61bf6a8445c6a23aed2556d219
Instruction ID: 8e06527b5dab777c25e89d0bdf5ebba68e9b5f9664f329042b74e52f81371b56
Opcode Fuzzy Hash: 75202502c96c6c6311f8483e592c34ccd1763e61bf6a8445c6a23aed2556d219
Instruction Fuzzy Hash: 06327F72E0E7C585EA609A95F0453BEB791FBC97C4F944136EA9E07B99DE3CD0408B02

Function 00007FF650A115B0 Relevance: 1.5, APIs: 1, Instructions: 206stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A115D2

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 277f68a8ef33fd892ad4b58a64bfb347b3fd29acc75adeb1ffad4ee53ec1b8c2
Instruction ID: d70f3fa34046e34219ad0f01b1a71af4860c689574c7cd8f797655b239003cff
Opcode Fuzzy Hash: 277f68a8ef33fd892ad4b58a64bfb347b3fd29acc75adeb1ffad4ee53ec1b8c2
Instruction Fuzzy Hash: 62511BE7FA774003FE5887E5692435E92935A953D6E85FC389E8D4BB0EFD3DA2814040

Function 00007FF650A54DF0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

random_device::random_device(const std::string&): unsupported token, xrefs: 00007FF650A54E61

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: CaptureContextUnwindabortmallocstrlen
String ID: random_device::random_device(const std::string&): unsupported token
API String ID: 467726954-222443098
Opcode ID: 3f77018be4266621ae8b32caf86d1aa6f517c412206a536e5a4a9b30a61fb4cd
Instruction ID: 17320159455007bda739806142bac4b7ef9079a4d6983084f36900289ee9edd3
Opcode Fuzzy Hash: 3f77018be4266621ae8b32caf86d1aa6f517c412206a536e5a4a9b30a61fb4cd
Instruction Fuzzy Hash: F521A577E1964372EE24AFA2B8511BA6764BF49BC4F8C0031ED4EA7797DE2CE1018340

Function 00007FF650A15140 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction ID: bab37cb81e15273f19aeaaea480becab6d28f828323ed94a28e6d565388f993d
Opcode Fuzzy Hash: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction Fuzzy Hash: DD12A1B3E0AB83E0FB5587A0A4417BA26D6DB51780F9D8435CA5C67787EF3CE5818780

Function 00007FF8E7B03C10 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction ID: ac36e1cd5d6b37e7b0ca0484b4060e0b4bfcf5441cdfc02a755edcbe3781e447
Opcode Fuzzy Hash: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction Fuzzy Hash: E01290B2A1AB82C0FB658780E4457BE36D5ABD37C0F558435CA6C27785DE3CE9828342

Function 00007FF650A15990 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4314aa25bf8cd1932cbf5c45235f216c023b8993aa11dae999a1b1a2f4857f
Instruction ID: 54ffca8060714c9ec45fcbaeb56c1ade0eafb804a7bb34c37a66f2d0f7a4c72a
Opcode Fuzzy Hash: 8e4314aa25bf8cd1932cbf5c45235f216c023b8993aa11dae999a1b1a2f4857f
Instruction Fuzzy Hash: E912BFB3A09743A6EB64CF61A44437A37A1FB44B88F5C8135CA4D97786DF3CE8918780

Function 00007FF8E7B04460 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d1045d800ad18b8a767b6d33ba05748f72f4317c74184e8fc2a0b96ab76432
Instruction ID: 2cf55213dd4b54ef986d599502a80ac77b63b9bcda34c4f5af0774dc78177dea
Opcode Fuzzy Hash: 91d1045d800ad18b8a767b6d33ba05748f72f4317c74184e8fc2a0b96ab76432
Instruction Fuzzy Hash: F112B2B2A09742C5EB688F51D44437E36A1EB97BC8F548135CA2D1B789DF3CEC928781

Function 00007FF650A17890 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057cbbb8f210a0f42a14319dea50cbe7b6f0892c6a6c6128709ea7b62745ec8
Instruction ID: ec978e37c8a36b6155616264e6126c425066b234ad8da5d38734ba51f6f69a38
Opcode Fuzzy Hash: b057cbbb8f210a0f42a14319dea50cbe7b6f0892c6a6c6128709ea7b62745ec8
Instruction Fuzzy Hash: F402F973D0D24765FB668AA5960137E26E29F51BC4F5CA031CA4EA77C7DF2CE8918380

Function 00007FF8E7B06360 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057cbbb8f210a0f42a14319dea50cbe7b6f0892c6a6c6128709ea7b62745ec8
Instruction ID: 0110bb6657840e3a2b1105aeae8f2807c1255f95728c34c5a34a27af12373fee
Opcode Fuzzy Hash: b057cbbb8f210a0f42a14319dea50cbe7b6f0892c6a6c6128709ea7b62745ec8
Instruction Fuzzy Hash: CB02C371D0C286C5FB689A95D4053BD36999FD3BC8F488031CA6D677CADE2CE891A342

Function 00007FF650A54EE9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: 051012ccbcc7b5faea14bd53a47746a31af2af7663974757354e2f3f032db126
Instruction ID: 1c82caa613971b0c9eb63222c76723573e629d85590d9ada2c7432a1b4964915
Opcode Fuzzy Hash: 051012ccbcc7b5faea14bd53a47746a31af2af7663974757354e2f3f032db126
Instruction Fuzzy Hash: CCD09E66F5E003A2E814ABF268514B853602F66B88F5C1431D91EF7393AE1CE5514309

Function 00007FF650A32EB0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF650A32FAC

Part of subcall function 00007FF650A28770: strlen.MSVCRT ref: 00007FF650A287F5
Part of subcall function 00007FF650A28770: memcpy.MSVCRT ref: 00007FF650A2880E
Part of subcall function 00007FF650A28770: free.MSVCRT ref: 00007FF650A28819

fwrite.MSVCRT ref: 00007FF650A32F28
fputs.MSVCRT ref: 00007FF650A32F42
fwrite.MSVCRT ref: 00007FF650A32F63
free.MSVCRT ref: 00007FF650A32F73
fputs.MSVCRT ref: 00007FF650A32F85
abort.MSVCRT ref: 00007FF650A32FB1
fwrite.MSVCRT ref: 00007FF650A32FD6
abort.MSVCRT ref: 00007FF650A32FDB
fwrite.MSVCRT ref: 00007FF650A33016
fputs.MSVCRT ref: 00007FF650A33028
fputc.MSVCRT ref: 00007FF650A3303C

Strings

terminate called after throwing an instance of ', xrefs: 00007FF650A32F18
what(): , xrefs: 00007FF650A3300F
terminate called without an active exception, xrefs: 00007FF650A32FA2
terminate called recursively, xrefs: 00007FF650A32FCC

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 802779101-808685626
Opcode ID: 82efe803838a8d037a76eabb839b4317706212d83b69d01b170799ebd747e01d
Instruction ID: 38b6df62057ceb23360ded53b2c61bf6796763ce60b9c0ebd1f63adc3181de8b
Opcode Fuzzy Hash: 82efe803838a8d037a76eabb839b4317706212d83b69d01b170799ebd747e01d
Instruction Fuzzy Hash: 57417E36F0811326FA10A7F2A8257FA5691AF89BC4F4C4135E90EE77C3EE2DE5018781

Function 00007FF8E7B21450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF8E7B2154C

Part of subcall function 00007FF8E7B17240: strlen.MSVCRT ref: 00007FF8E7B172C5
Part of subcall function 00007FF8E7B17240: memcpy.MSVCRT ref: 00007FF8E7B172DE
Part of subcall function 00007FF8E7B17240: free.MSVCRT ref: 00007FF8E7B172E9

fwrite.MSVCRT ref: 00007FF8E7B214C8
fputs.MSVCRT ref: 00007FF8E7B214E2
fwrite.MSVCRT ref: 00007FF8E7B21503
free.MSVCRT ref: 00007FF8E7B21513
fputs.MSVCRT ref: 00007FF8E7B21525
abort.MSVCRT ref: 00007FF8E7B21551
fwrite.MSVCRT ref: 00007FF8E7B21576
abort.MSVCRT ref: 00007FF8E7B2157B
fwrite.MSVCRT ref: 00007FF8E7B215B6
fputs.MSVCRT ref: 00007FF8E7B215C8
fputc.MSVCRT ref: 00007FF8E7B215DC

Strings

terminate called recursively, xrefs: 00007FF8E7B2156C
what(): , xrefs: 00007FF8E7B215AF
terminate called after throwing an instance of ', xrefs: 00007FF8E7B214B8
terminate called without an active exception, xrefs: 00007FF8E7B21542

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 802779101-808685626
Opcode ID: edf95c3c8eb852e668d785d020afc51512c552d478493648ad0ea523f3eccf66
Instruction ID: 9f5eb26119dfa7cfe22337b8b1b591bd8a9f0ebcf65f0d40db26e4f605c64671
Opcode Fuzzy Hash: edf95c3c8eb852e668d785d020afc51512c552d478493648ad0ea523f3eccf66
Instruction Fuzzy Hash: C7418030F1A19605FB10A7E1E8257BE6696AFD67C0F804136E92E477C2DE2DE5028713

Function 00007FF650A31190 Relevance: 19.8, APIs: 13, Instructions: 272COMMON

Download Yara Rule

APIs

___lc_codepage_func.MSVCRT ref: 00007FF650A311BA
___mb_cur_max_func.MSVCRT ref: 00007FF650A311C2
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF650A31351
MultiByteToWideChar.KERNEL32 ref: 00007FF650A3137F
_errno.MSVCRT ref: 00007FF650A31385

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func_errno
String ID:
API String ID: 3183172368-0
Opcode ID: 8ab632f43d6acf1946b61802747c5be28d51b72408049796820b803039f0fca0
Instruction ID: c7c2c73887d227b39ac16850421fbbfad841ef091e94d342f76bf48014749c41
Opcode Fuzzy Hash: 8ab632f43d6acf1946b61802747c5be28d51b72408049796820b803039f0fca0
Instruction Fuzzy Hash: 85B19373A0C643A6E7A08F91E4403FA6690FB59788F0C4035EA8DEBB86DF7DE5058740

Function 00007FF8E7B1F9B0 Relevance: 19.8, APIs: 13, Instructions: 272COMMON

Download Yara Rule

APIs

___lc_codepage_func.MSVCRT ref: 00007FF8E7B1F9DA
___mb_cur_max_func.MSVCRT ref: 00007FF8E7B1F9E2
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF8E7B1FB71
MultiByteToWideChar.KERNEL32 ref: 00007FF8E7B1FB9F
_errno.MSVCRT ref: 00007FF8E7B1FBA5

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func_errno
String ID:
API String ID: 3183172368-0
Opcode ID: 4f52c65fb300fda4aa6b42498341c75719a94bc644baadafcd56d94d8acb21db
Instruction ID: fcaf2e671f7db401ba52557325aafe4ff4b4f211e14bdb97ead6544806eda17d
Opcode Fuzzy Hash: 4f52c65fb300fda4aa6b42498341c75719a94bc644baadafcd56d94d8acb21db
Instruction Fuzzy Hash: 53B1AE32A1E6428EE7608F91E44037E7BA0BB957C8F088035EAAD47784EF7DE555C702

Function 00007FF650A2B540 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF650A2B825

Strings

UUUU, xrefs: 00007FF650A2B66E

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fputc
String ID: UUUU
API String ID: 1992160199-1798160573
Opcode ID: 3b85de55c72d650216168256f511233200dee7a2bcb32fa0b97bc0524bea5549
Instruction ID: 7cc0676dd6ca11b5820f892e6df0037614cb6c7c09ba4f9843635c75756ba2d5
Opcode Fuzzy Hash: 3b85de55c72d650216168256f511233200dee7a2bcb32fa0b97bc0524bea5549
Instruction Fuzzy Hash: CE126373D291079BE7648F66C55077937E1EB95B54F2D8239CA0DA63CADE3CE8408B40

Function 00007FF8E7B19D00 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF8E7B19FE5

Strings

UUUU, xrefs: 00007FF8E7B19E2E

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: fputc
String ID: UUUU
API String ID: 1992160199-1798160573
Opcode ID: 6b68097bf7420150babb894e36c6aeaff896fa196c61cd1df292c1f48f671bb8
Instruction ID: 574b68ed67f227efba5db05e43784d6373f948eef2d8c1121db33bb21f24a7b5
Opcode Fuzzy Hash: 6b68097bf7420150babb894e36c6aeaff896fa196c61cd1df292c1f48f671bb8
Instruction Fuzzy Hash: 5E120072A091828AE768CF64C15477D37E1EBD5B98F258239CA2D472C9DB3DF841CB42

Function 00007FF650A45C60 Relevance: 16.9, APIs: 8, Strings: 3, Instructions: 427stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A45C70
memcpy.MSVCRT ref: 00007FF650A45CB8
memcpy.MSVCRT ref: 00007FF650A45D66

Strings

basic_string::append, xrefs: 00007FF650A45D0A, 00007FF650A45DBA, 00007FF650A45E6B, 00007FF650A45F3E, 00007FF650A45F51, 00007FF650A45FFB
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A45F45
basic_string::_M_replace_aux, xrefs: 00007FF650A460B7

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::append
API String ID: 2619041689-2502837630
Opcode ID: 48419a8f08ca8c08c9906f507af28e38fcaf8763e241285874e94f5c930be9c0
Instruction ID: 3cec3de4c3ba9354a4612cddd4e5f2f88d7ce4eb64f320fdcd3566b73afa1224
Opcode Fuzzy Hash: 48419a8f08ca8c08c9906f507af28e38fcaf8763e241285874e94f5c930be9c0
Instruction Fuzzy Hash: 0CE1D577A09A87B1EF208FA9D4501B86360AB45F98F8C8532DE9DA77C7DE6CD442C300

Function 00007FF650A294C0 Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF650A29521
TlsGetValue.KERNEL32(?,?,?,00007FF650A28A75), ref: 00007FF650A2954A
GetLastError.KERNEL32(?,?,?,00007FF650A28A75), ref: 00007FF650A2954F
LeaveCriticalSection.KERNEL32 ref: 00007FF650A29577
free.MSVCRT ref: 00007FF650A295B7
DeleteCriticalSection.KERNEL32 ref: 00007FF650A295DD
InitializeCriticalSection.KERNEL32 ref: 00007FF650A29677

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
String ID:
API String ID: 100439675-0
Opcode ID: 9d870255927499374f5c0de93d0108a320339cf10cb9145e98a0e1dfec17ba73
Instruction ID: dd6ee13e92fc1a72f7f3e21a4d260e047749ab939c3ba25276386d7674f9d077
Opcode Fuzzy Hash: 9d870255927499374f5c0de93d0108a320339cf10cb9145e98a0e1dfec17ba73
Instruction Fuzzy Hash: 8F412A32F19643A5FA569F52A8802B863A0BF56F89F8C4430DD0EF7792DF2DE8458704

Function 00007FF8E7B17C60 Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF8E7B17CC1
TlsGetValue.KERNEL32(?,?,?,00007FF8E7B17535), ref: 00007FF8E7B17CEA
GetLastError.KERNEL32(?,?,?,00007FF8E7B17535), ref: 00007FF8E7B17CEF
LeaveCriticalSection.KERNEL32 ref: 00007FF8E7B17D17
free.MSVCRT ref: 00007FF8E7B17D57
DeleteCriticalSection.KERNEL32 ref: 00007FF8E7B17D7D
InitializeCriticalSection.KERNEL32 ref: 00007FF8E7B17E17

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
String ID:
API String ID: 100439675-0
Opcode ID: 4766b8e9fd29cc773eb12eff48182ef52404bb47ad56aa230f7c8f0114981fc5
Instruction ID: 71298113258c4a239cccaf609580a51049c672fd805c6ca36f8b003a72777fa0
Opcode Fuzzy Hash: 4766b8e9fd29cc773eb12eff48182ef52404bb47ad56aa230f7c8f0114981fc5
Instruction Fuzzy Hash: 5E412832A4964786FB559F91E88077D33A8AFA4BD1F584431CD3D4B290DE3CE885D302

Function 00007FF650A29E30 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF650A29F05
abort.MSVCRT(?,?,?,?,?,?,-00000040,?,?,00000000,?,?,00007FF650A544C5), ref: 00007FF650A29F0B
RtlUnwindEx.KERNEL32 ref: 00007FF650A2A021

Strings

CCG!, xrefs: 00007FF650A29EF8
CCG!, xrefs: 00007FF650A29E59
CCG", xrefs: 00007FF650A29E92
CCG , xrefs: 00007FF650A29E9E

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: fde0313c25a5494f8e4f383ceaa978a1d11fd6de5f1a372e9350cc734f2aaca8
Instruction ID: 8178733c5bf1f5a70ab8dcab5f251860db29b36b12b4c9a43926a938dcb5e395
Opcode Fuzzy Hash: fde0313c25a5494f8e4f383ceaa978a1d11fd6de5f1a372e9350cc734f2aaca8
Instruction Fuzzy Hash: D951F533A08B8292E7608B55E8406AD7370F789B98F585236EF8DA3758DF3DD581C740

Function 00007FF8E7B185E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF8E7B186B5
abort.MSVCRT(?,?,?,?,?,?,00000000,?,?,?,?,?,00007FF8E7B221B5), ref: 00007FF8E7B186BB
RtlUnwindEx.KERNEL32 ref: 00007FF8E7B187D1

Strings

CCG!, xrefs: 00007FF8E7B18609
CCG!, xrefs: 00007FF8E7B186A8
CCG , xrefs: 00007FF8E7B1864E
CCG", xrefs: 00007FF8E7B18642

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: 90bb83fa7776ed93d0da856b8a3e6ce9c4dbb2454710fb748a419578ffc60a1a
Instruction ID: 159b6f691d5ff27d12ab30a59232969873a043c5f403e4444e0b8905b7829621
Opcode Fuzzy Hash: 90bb83fa7776ed93d0da856b8a3e6ce9c4dbb2454710fb748a419578ffc60a1a
Instruction Fuzzy Hash: 8051C072A09B8082E7608B95E484BAD7371FB89BE8F504236EE9D53758DF3CD582C741

Function 00007FF650A28C30 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF650A28D4B

Strings

Address %p has no image-section, xrefs: 00007FF650A28CA2, 00007FF650A28DF5
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF650A28DE1
VirtualProtect failed with code 0x%x, xrefs: 00007FF650A28DBE
Mingw-w64 runtime failure:, xrefs: 00007FF650A28C67

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 02d614dfa8185db52efcd01afb4849760be1b7bc499b1083443bb5334d1fc27a
Instruction ID: d1ca22259d4b2c2f2cfc603330b4c426d7c3322038e107293ebe389a891bdbff
Opcode Fuzzy Hash: 02d614dfa8185db52efcd01afb4849760be1b7bc499b1083443bb5334d1fc27a
Instruction Fuzzy Hash: BB51C433A0AA4BA2EB108B52EC806A97760FB99B94F4C4131EE4DA7395DF3DE545C740

Function 00007FF8E7B175E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF8E7B176FB

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF8E7B17617
VirtualProtect failed with code 0x%x, xrefs: 00007FF8E7B1776E
Address %p has no image-section, xrefs: 00007FF8E7B17652, 00007FF8E7B177A5
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF8E7B17791

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 28f240d08aa4f89baa3871d4531be182b0c14c0bdf7d081bf6bfcfc7e573e459
Instruction ID: 2f28048250e42f3754f7718d40e40d65e77c457d1b853083731093f7482b1cf1
Opcode Fuzzy Hash: 28f240d08aa4f89baa3871d4531be182b0c14c0bdf7d081bf6bfcfc7e573e459
Instruction Fuzzy Hash: 5051AD72A49A8682EB108B91E8407AEBBA4FFD9BD4F544131DE6C07394DE3CE485C741

Function 00007FF650A2BD70 Relevance: 12.4, APIs: 8, Instructions: 355COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF650A2C025

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: d2623296c75c8317225f068edeea6053287046020c41a073c712053802fb2e7c
Instruction ID: 4c0de70765c23a4b44ec356a647c6635510175e01643895f3cc0dfe4a541bb8f
Opcode Fuzzy Hash: d2623296c75c8317225f068edeea6053287046020c41a073c712053802fb2e7c
Instruction Fuzzy Hash: FBE182B3A1810397F7648F66C94077977E1EB58B58F298235CB09A778ADE3CEC408B40

Function 00007FF8E7B1A530 Relevance: 12.4, APIs: 8, Instructions: 355COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF8E7B1A7E5

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 6455380b65f2535aa43ea52f4673dc818bd6c141cbea47eaf03f434f54f19436
Instruction ID: acfe8d278df180c46443f491cd6b30a49c5eacdca859672c33272b347dc1c5d7
Opcode Fuzzy Hash: 6455380b65f2535aa43ea52f4673dc818bd6c141cbea47eaf03f434f54f19436
Instruction Fuzzy Hash: 03E15EB2A182428AE764CF65C15473D7BF1EBD5B98F258239CA194B688DB3CFC41CB41

Function 00007FF650A2A150 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF650A2A182
RaiseException.KERNEL32 ref: 00007FF650A2A1A4
abort.MSVCRT(?,?,?,?,?,?,?,?,00007FF650A5441B,?,?,?,00007FF650A54178), ref: 00007FF650A2A1D0
RaiseException.KERNEL32 ref: 00007FF650A2A217

Strings

CCG , xrefs: 00007FF650A2A17D
CCG", xrefs: 00007FF650A2A19F
CCG", xrefs: 00007FF650A2A212

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: ExceptionRaise$abort
String ID: CCG $CCG"$CCG"
API String ID: 3325032505-1179968548
Opcode ID: 6155bbc2972aea80dd357c6f9dd873a51dfca5167871fe7239fcb68a4b93464d
Instruction ID: de114f8f8baedef4ee310fe9da109ffac8f1c91c9cb726a1ef9d48bee7734a7e
Opcode Fuzzy Hash: 6155bbc2972aea80dd357c6f9dd873a51dfca5167871fe7239fcb68a4b93464d
Instruction Fuzzy Hash: D7214F33A24B8183E3508B55E4403A96771F7DA788F24E22AEA8E57764DF7EC5928700

Function 00007FF8E7B18900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF8E7B18932
RaiseException.KERNEL32 ref: 00007FF8E7B18954
abort.MSVCRT(?,?,?,?,?,?,?,?,00007FF8E7B2210B,?,?,?,00007FF8E7B21E68), ref: 00007FF8E7B18980
RaiseException.KERNEL32 ref: 00007FF8E7B189C7

Strings

CCG", xrefs: 00007FF8E7B189C2
CCG", xrefs: 00007FF8E7B1894F
CCG , xrefs: 00007FF8E7B1892D

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: ExceptionRaise$abort
String ID: CCG $CCG"$CCG"
API String ID: 3325032505-1179968548
Opcode ID: 53613a2d622f21e71032688e725efff7241a844c5a6880d00138c6d8c33be4d6
Instruction ID: a659bd7fab235ac8dd9988b7cb519900e03ad22ccc45980654d51de691be9d6d
Opcode Fuzzy Hash: 53613a2d622f21e71032688e725efff7241a844c5a6880d00138c6d8c33be4d6
Instruction Fuzzy Hash: 11217F33A25B8183E3508B94E4403A97761F7D9B88F20A22AEA9D17364DF7DC1928700

Function 00007FF650A300F0 Relevance: 11.5, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF650A30167
LeaveCriticalSection.KERNEL32 ref: 00007FF650A3019D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: CriticalLeaveSectionfree
String ID:
API String ID: 1679108487-0
Opcode ID: 0adf30420a38456bda5cec22cb01bc4186c16200f06ece984035fd22919c0e84
Instruction ID: 49315b482da39879c35815381fe6cd50f109a0d2d966622b1624ae59883529ab
Opcode Fuzzy Hash: 0adf30420a38456bda5cec22cb01bc4186c16200f06ece984035fd22919c0e84
Instruction Fuzzy Hash: 6B918332A19A03A6FB558B95D9A07B932A0FF49B84F4C4131DA0EB7796DF3DE4518340

Function 00007FF8E7B1E8B0 Relevance: 11.5, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF8E7B1E927
LeaveCriticalSection.KERNEL32 ref: 00007FF8E7B1E95D

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: CriticalLeaveSectionfree
String ID:
API String ID: 1679108487-0
Opcode ID: 1b8962f21e1c4b96ba69e026f945ac79706ff6e337c3f80089efbab90e5c3a60
Instruction ID: 8c41aebdb29eb29625f401ceaca34c1e3f7cea147ee029112fa7dc2eade36690
Opcode Fuzzy Hash: 1b8962f21e1c4b96ba69e026f945ac79706ff6e337c3f80089efbab90e5c3a60
Instruction Fuzzy Hash: 77916A31A49A8385FB608BA5E58037D37A5BF94BC6F484531DA2E8BB94DF3CB4518302

Function 00007FF650A44BA2 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A44BDB
memset.MSVCRT ref: 00007FF650A44C1B

Strings

basic_string::_M_create, xrefs: 00007FF650A44C2D, 00007FF650A44CDA, 00007FF650A44D8A, 00007FF650A44E3A, 00007FF650A44EEA

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_M_create
API String ID: 2221118986-3122258987
Opcode ID: 0e09e788f27b9f177f356dc5e55521f0ba2b3d79d8a11c7610ff5ba8fb92f5b8
Instruction ID: dc6075a206e6f23a84761fcb1394c471e9263f4be3133be1d858bc7a492ad38f
Opcode Fuzzy Hash: 0e09e788f27b9f177f356dc5e55521f0ba2b3d79d8a11c7610ff5ba8fb92f5b8
Instruction Fuzzy Hash: A881CA77B09A8265EF269F66F8802B8A650A759BD4F5C8135CFDD87392DE3CD482C300

Function 00007FF650A52250 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 294COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A52260
memcpy.MSVCRT ref: 00007FF650A522AE
memcpy.MSVCRT ref: 00007FF650A52374

Strings

basic_string::_M_create, xrefs: 00007FF650A525AB
basic_string::append, xrefs: 00007FF650A52308, 00007FF650A523B9, 00007FF650A52469

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$wcslen
String ID: basic_string::_M_create$basic_string::append
API String ID: 1844840824-3923985592
Opcode ID: e9448da7214d55d46f3a6dd9be7a987f2e7ac8cb33f78541989cd8544dd67dfe
Instruction ID: 0b213b233420ec3d3528cb5e97f739ea2e46d9aa836a593df350244dae10ace7
Opcode Fuzzy Hash: e9448da7214d55d46f3a6dd9be7a987f2e7ac8cb33f78541989cd8544dd67dfe
Instruction Fuzzy Hash: 6A91817BA09657A1EE108BA5E4101BD2361BB46BA4F5C8532DE1DA73D6EE3CE442C340

Function 00007FF8E7B177C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,00007FF8E7C58A34,?,?,?,?,00007FF8E7B0124D), ref: 00007FF8E7B179A3

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF8E7B17B24
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF8E7B17B3A
Unknown pseudo relocation protocol version %d., xrefs: 00007FF8E7B17B46

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 176a619fb0b680867fe6370efde1010fe92bd4fe8d17e4c6ea9cfe6904e18e5e
Instruction ID: d3ecdcce8a12102a5f1c9f49f2d6392f45bb62351f20b082b481a3739dc510e9
Opcode Fuzzy Hash: 176a619fb0b680867fe6370efde1010fe92bd4fe8d17e4c6ea9cfe6904e18e5e
Instruction Fuzzy Hash: BEA19C32E5855382FB108BA5D85077E72A5AFE4BE4F148231D93D57BD8EE3CE8429342

Function 00007FF650A369C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A369E9
memcmp.MSVCRT ref: 00007FF650A36A0A
memcmp.MSVCRT ref: 00007FF650A36AA6

Strings

basic_string::compare, xrefs: 00007FF650A36A4D, 00007FF650A36AE5, 00007FF650A36B75, 00007FF650A36C25, 00007FF650A36C3E
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A36A54, 00007FF650A36AEC, 00007FF650A36B7C, 00007FF650A36C2C, 00007FF650A36C45

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 8eba21a0c5b588d9bccf02a7cb7609698d9b576d1b4c986afc1b9fc8a3d0aea6
Instruction ID: c0dfd38bf47466cc76e55a02da19f9e55e365c89738832ba390235f7d2b85214
Opcode Fuzzy Hash: 8eba21a0c5b588d9bccf02a7cb7609698d9b576d1b4c986afc1b9fc8a3d0aea6
Instruction Fuzzy Hash: 6D51B063F4998762FE109AA6EC502E452509F4ABE4F5C8231EE2DF77D3DD1CE9868300

Function 00007FF650A35480 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A354AA
memcmp.MSVCRT ref: 00007FF650A354C8
memcmp.MSVCRT ref: 00007FF650A35566

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A35514, 00007FF650A355AC, 00007FF650A3563C, 00007FF650A356EC, 00007FF650A35705
basic_string::compare, xrefs: 00007FF650A3550D, 00007FF650A355A5, 00007FF650A35635, 00007FF650A356E5, 00007FF650A356FE

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 198f3b227f30857ee76723fb75822729b1260bbce8665b74e23255c8d8515f24
Instruction ID: 7128e35be919efa7b92110bdaeddd9353f53c5e6ce2fc972c21cf330607630d0
Opcode Fuzzy Hash: 198f3b227f30857ee76723fb75822729b1260bbce8665b74e23255c8d8515f24
Instruction Fuzzy Hash: 5351F773F0958362EE1486BAE8442F412555F1ABE5F9C5631EE2DE73D3EE1CEA818300

Function 00007FF650A341E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF650A3421B
LocalFree.KERNEL32 ref: 00007FF650A34268
memcpy.MSVCRT ref: 00007FF650A342D5

Strings

Unknown , xrefs: 00007FF650A342EF
basic_string: construction from null is not valid, xrefs: 00007FF650A34397
error co, xrefs: 00007FF650A342FC

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: FormatFreeLocalMessagememcpy
String ID: Unknown $basic_string: construction from null is not valid$error co
API String ID: 1463094090-4228307607
Opcode ID: 787b955189c560e162dac32be70720551e745198ad51b2b75e3c363664ed0b07
Instruction ID: 814dab3e60a4eececd179da62aadfd038ddd98e7a2fe25e09ce7df1ec2fdf3b3
Opcode Fuzzy Hash: 787b955189c560e162dac32be70720551e745198ad51b2b75e3c363664ed0b07
Instruction Fuzzy Hash: 30417C33608B4291E7118F65E4503AEB7A5EB89BC8F588031EB8D97B99DF3DD456C300

Function 00007FF650A2A8B0 Relevance: 9.4, APIs: 6, Instructions: 414COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF650A2AA32
fputc.MSVCRT ref: 00007FF650A2AAAA
fputc.MSVCRT ref: 00007FF650A2AB02

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 5a2601bb742be21d7d0ed194e9666a6ba37078df609cf0cda1f1cf3f5c2d7d2e
Instruction ID: 00ac4e084526f59be4378a8d3d5e2c6acfff411579ad904a37f64c3dd94ca8f5
Opcode Fuzzy Hash: 5a2601bb742be21d7d0ed194e9666a6ba37078df609cf0cda1f1cf3f5c2d7d2e
Instruction Fuzzy Hash: 1EF1B573E1858357E7658F6699047392A91AF24BA8F5D8235CA1DB7BCACE3CEC41C700

Function 00007FF8E7B19070 Relevance: 9.4, APIs: 6, Instructions: 414COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF8E7B191F2
fputc.MSVCRT ref: 00007FF8E7B1926A
fputc.MSVCRT ref: 00007FF8E7B192C2

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 67e0c1fe5ae666fd804cf944b37e3220ac5a14e8281472bc3b8760f1b714fa65
Instruction ID: 95ca2d9ac645c51ea6081bdbd6dfd7c49f8c4114e307ae62e3621d3311c22442
Opcode Fuzzy Hash: 67e0c1fe5ae666fd804cf944b37e3220ac5a14e8281472bc3b8760f1b714fa65
Instruction Fuzzy Hash: A9F1C472E182C286FB658F65D00477D3A91BB95BE8F658234CA3D57BC4CA3CE941C742

Function 00007FF650A49BD0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 325COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A49BFF
memset.MSVCRT ref: 00007FF650A49C43

Strings

basic_string::_M_create, xrefs: 00007FF650A49C64, 00007FF650A49D1A, 00007FF650A49DCA, 00007FF650A49E7A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_M_create
API String ID: 2221118986-3122258987
Opcode ID: 4b44bbbeae9dc4b1646844eb1030e5491146d3e538e3ce0a53e4b25d53cf4c50
Instruction ID: fc739c4103bb7a660014b788b5fd5d2ab518b31c27a224116e887fa61161e1b8
Opcode Fuzzy Hash: 4b44bbbeae9dc4b1646844eb1030e5491146d3e538e3ce0a53e4b25d53cf4c50
Instruction Fuzzy Hash: B9A194B7A08B82A5EB298F55F4802ADA690F755B94F5C8135CBAD87392DF3CD591C300

Function 00007FF650A40DB0 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 312COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A40E42

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A410A2, 00007FF650A411B2
basic_string::_S_create, xrefs: 00007FF650A40E8F, 00007FF650A40F86, 00007FF650A41096, 00007FF650A411A6

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 2221118986-1585226940
Opcode ID: 55844057d3f7c5db19d15d6d90bb1f8ddb2260f8e69176d58b11f3855ca9b239
Instruction ID: 2716a5fb2a46fcb71f270f590e350c2b4b88d326694e34e6b0c43322acc7410a
Opcode Fuzzy Hash: 55844057d3f7c5db19d15d6d90bb1f8ddb2260f8e69176d58b11f3855ca9b239
Instruction Fuzzy Hash: 53B10177B05683B5EA258F51E8402B936A0EB957E4F8C8335EE6D873D2EE38D585C340

Function 00007FF650A40030 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 298COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A400C2

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A40322, 00007FF650A40432
basic_string::_S_create, xrefs: 00007FF650A4010F, 00007FF650A40206, 00007FF650A40316, 00007FF650A40426

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 2221118986-1585226940
Opcode ID: e6ed32b3a5c6c1d762df7a3d10d15ca7f5c0089d545d4197bbf087d2a7cd484a
Instruction ID: 5d69031dd82626421f9326b10b441bce44f0421e08fd5257fcf6bf01374bc8cf
Opcode Fuzzy Hash: e6ed32b3a5c6c1d762df7a3d10d15ca7f5c0089d545d4197bbf087d2a7cd484a
Instruction Fuzzy Hash: DFA11177B05682B5EA159F61E8402F836A0EB957B4F8C4335EE6C973D2EE38D584C340

Function 00007FF650A51EC0 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A51ED0
memcpy.MSVCRT ref: 00007FF650A51F1D

Strings

basic_string::_M_create, xrefs: 00007FF650A520DD
basic_string::_M_replace, xrefs: 00007FF650A51FAB, 00007FF650A521B9

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpywcslen
String ID: basic_string::_M_create$basic_string::_M_replace
API String ID: 982415701-3182797996
Opcode ID: 68480958ced44fe4d218a67651c89615f425b4fa6ff5d62f5338f15568a5601a
Instruction ID: 32c3bf4af64d9f0b318ae9dccfb3dea6ecf60180a4e36767c04f043a6914c4b3
Opcode Fuzzy Hash: 68480958ced44fe4d218a67651c89615f425b4fa6ff5d62f5338f15568a5601a
Instruction Fuzzy Hash: F6919737B09A47A0EE249BA5E4402B96361BB45BD4F4C8532EE0DD7796EF3CE846C340

Function 00007FF650A4A6F0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A4A71F
memset.MSVCRT ref: 00007FF650A4A763

Strings

basic_string::_M_create, xrefs: 00007FF650A4A784, 00007FF650A4A83A, 00007FF650A4A8EA, 00007FF650A4A99A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_M_create
API String ID: 2221118986-3122258987
Opcode ID: f851bbf691a1be4f93637b5c807fb9b1c4b727407fd193121e334bef4585c420
Instruction ID: dc3909f34250c83c2b03040bef20e3967c036c731f9abcf6fea15afbebecae8f
Opcode Fuzzy Hash: f851bbf691a1be4f93637b5c807fb9b1c4b727407fd193121e334bef4585c420
Instruction Fuzzy Hash: 5971C777A0968291EF358F65F8803A9A660E7697D4F5C8135CBDD87796DE3CD482C300

Function 00007FF650A4AAD0 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 263stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A4AAE0
memcpy.MSVCRT ref: 00007FF650A4AB29

Strings

basic_string::_M_replace, xrefs: 00007FF650A4ABAA, 00007FF650A4ADAB
basic_string::_M_create, xrefs: 00007FF650A4ACCC

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string::_M_create$basic_string::_M_replace
API String ID: 3412268980-3182797996
Opcode ID: 48abf738eba9e2a3f8189a12aaf7fd186d4ff5015c44ceeeab58cb8dc134f67b
Instruction ID: 615f3e09f754fa399fe9e9e1100391f3fbf60875d3842f6b875a94cb482f6d9d
Opcode Fuzzy Hash: 48abf738eba9e2a3f8189a12aaf7fd186d4ff5015c44ceeeab58cb8dc134f67b
Instruction Fuzzy Hash: E1919437B09A57B5EF109BA5D4502BD6351AB54FD8F8C8532DE8DA778ADE2CE842C300

Function 00007FF650A31000 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF650A3102B
___lc_codepage_func.MSVCRT ref: 00007FF650A31033
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF650A31083
MultiByteToWideChar.KERNEL32 ref: 00007FF650A310B5

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: f4751aef1eafc67f76771c00819b599d7fb6752d026c6847df3114e022fb8c14
Instruction ID: 5b98090a0ccc2dafd6776045765169486924158c6f1feeedeedd5adef2fe6aec
Opcode Fuzzy Hash: f4751aef1eafc67f76771c00819b599d7fb6752d026c6847df3114e022fb8c14
Instruction Fuzzy Hash: A7311733B0824359E7564B61A8403FA6694AB4A7E8F4C4336EEA9977C2DE7DD485C700

Function 00007FF8E7B1F820 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF8E7B1F84B
___lc_codepage_func.MSVCRT ref: 00007FF8E7B1F853
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF8E7B1F8A3
MultiByteToWideChar.KERNEL32 ref: 00007FF8E7B1F8D5

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: 5f39427e5e3fd4a3ee20e5b5c45756d92d827e3bf56739c64fefe41f8664ae75
Instruction ID: 3a8edb488f633554d05fbccf7cdeb6d6016d0cf441a8e5813ad50a2164fe9a05
Opcode Fuzzy Hash: 5f39427e5e3fd4a3ee20e5b5c45756d92d827e3bf56739c64fefe41f8664ae75
Instruction Fuzzy Hash: B731F633A0A2428DE7525B61F8003AD7654AB917E8F444236EEB9477D4DF7CD581C701

Function 00007FF650A31610 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF650A3162A
___lc_codepage_func.MSVCRT ref: 00007FF650A31632
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF650A3167C
MultiByteToWideChar.KERNEL32 ref: 00007FF650A316B2

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: e0ef47371ec9e278b31103b3fd6f656366c31e15180cfbc100e988709e094f72
Instruction ID: 41b170cb45062b7713d363e8255e7d447dbfd9ec555f2f352dd448f67e2cd005
Opcode Fuzzy Hash: e0ef47371ec9e278b31103b3fd6f656366c31e15180cfbc100e988709e094f72
Instruction Fuzzy Hash: 0E31F273B0D7035AEB614A91A4013F96690AB497E8F4C0635EEADA7BC2EF7DD4458B00

Function 00007FF8E7B1FE30 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF8E7B1FE4A
___lc_codepage_func.MSVCRT ref: 00007FF8E7B1FE52
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF8E7B1FE9C
MultiByteToWideChar.KERNEL32 ref: 00007FF8E7B1FED2

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: a3287d4ffe005055a906fa946a28c476f793c0b8a98b9791bce0218bc2970884
Instruction ID: c81964c16aa174b95526cb8230dfafca91c8c871c111e12141fce6f6e03497be
Opcode Fuzzy Hash: a3287d4ffe005055a906fa946a28c476f793c0b8a98b9791bce0218bc2970884
Instruction Fuzzy Hash: 8931CE72A0A60149EB614B91E4003BD7690AB86BE8F444235EEBD47BD5EFBCD884C702

Function 00007FF650A118E0 Relevance: 9.1, APIs: 6, Instructions: 87stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF650A119A8
strcpy_s.MSVCRT ref: 00007FF650A119D1
strcpy_s.MSVCRT ref: 00007FF650A119DF
strcpy_s.MSVCRT ref: 00007FF650A119ED
_strlwr.MSVCRT ref: 00007FF650A119F3
_strlwr.MSVCRT ref: 00007FF650A119FC

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strcpy_s$_strlwr$ByteCharMultiWide
String ID:
API String ID: 2752519838-0
Opcode ID: b49aae15f71631d1fe2494b4ed0ca7c17df8e33b82628a1c7862367309f633f0
Instruction ID: 35f42c2b71338f225c9545bc9a87efd872513896740a5e7f134f7c40fe21502a
Opcode Fuzzy Hash: b49aae15f71631d1fe2494b4ed0ca7c17df8e33b82628a1c7862367309f633f0
Instruction Fuzzy Hash: 66319272604B8692EB608F51F8407AA6761FB8AB94F4C4135EF4E63794CF3DC056D704

Function 00007FF650A343E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF650A343EE
strlen.MSVCRT ref: 00007FF650A34409
memcpy.MSVCRT ref: 00007FF650A34478

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 00007FF650A344A0
basic_string: construction from null is not valid, xrefs: 00007FF650A34487

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpystrerrorstrlen
String ID: __gnu_cxx::__concurrence_lock_error$basic_string: construction from null is not valid
API String ID: 2955597728-1066207237
Opcode ID: 836aa0fc2834f70cafe947f1e6ca398b506a69b679ba53fd7d483ca8a08dd999
Instruction ID: a4d9b4ebc142b8ee52e4d2321d1651b55b07ed165432c5af04a59dbc78b7ba99
Opcode Fuzzy Hash: 836aa0fc2834f70cafe947f1e6ca398b506a69b679ba53fd7d483ca8a08dd999
Instruction Fuzzy Hash: 0A11B233A09B42A9EE509B61E8002BC2794AB4EBD8F4C4130DE4D97786DE3CE150C310

Function 00007FF650A4B3C0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF650A4B509, 00007FF650A4B5A2, 00007FF650A4B632, 00007FF650A4B6C2, 00007FF650A4B752

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: f4b0626a091b5ff5dedc6222a4086b63f5ae70f49485ddd7f5157f6618e1ac69
Instruction ID: 1de136087d1a6854f37cf7661876307ff702f457e089ee632f4671e40e58594e
Opcode Fuzzy Hash: f4b0626a091b5ff5dedc6222a4086b63f5ae70f49485ddd7f5157f6618e1ac69
Instruction Fuzzy Hash: 82A1B777B25647B5ED249F66E8400B8A260AB55BE0F5C8631DE5EE73D2DF2DE481C300

Function 00007FF650A2AF30 Relevance: 7.8, APIs: 5, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a67022de2d0f3e7fbb5a2b5da87f3078e3fa5e55b14ba386eecbdd5a6595ed1
Instruction ID: da582dc7560fb168a9fed255f7244c3ee18e85c47922fba2bad78bb286e1db69
Opcode Fuzzy Hash: 2a67022de2d0f3e7fbb5a2b5da87f3078e3fa5e55b14ba386eecbdd5a6595ed1
Instruction Fuzzy Hash: FEC17EB3E2825797E7658E66C80477A6BA1EB04B54F5D8235CA1CA738ADF3CF841C740

Function 00007FF8E7B196F0 Relevance: 7.8, APIs: 5, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9144cf1045d7e2c903a37bdb67ff89c02f36cefd9ce95b033c499c81022daf61
Instruction ID: 48f9b87f98a971512f239abb7bf3afd18da7764d6c89205e719e294322bac7e3
Opcode Fuzzy Hash: 9144cf1045d7e2c903a37bdb67ff89c02f36cefd9ce95b033c499c81022daf61
Instruction Fuzzy Hash: 4DC1A0B3E196D286E7658F68C00437D7BA1EB84BD8F598235CA2C57789CB3CE841C742

Function 00007FF650A3A080 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 246COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3A100
memcpy.MSVCRT ref: 00007FF650A3A1E8

Strings

basic_string::append, xrefs: 00007FF650A3A167, 00007FF650A3A282, 00007FF650A3A358
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3A16E

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
API String ID: 3510742995-4063909124
Opcode ID: 372393b1e24b62b7c528af8aae081c131a78d624f828ddd5c46040396ee5eb2d
Instruction ID: e1a85bd5712df4550c1254349acd5a14ff97b09432368b9112cb9c5ee8a55713
Opcode Fuzzy Hash: 372393b1e24b62b7c528af8aae081c131a78d624f828ddd5c46040396ee5eb2d
Instruction Fuzzy Hash: FA91D173B0A657A5EE10CF9AD4446BD6321AB69FC4F5C8531CF0DAB79ACE2DE4808340

Function 00007FF650A39D90 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A39DA1
memcpy.MSVCRT ref: 00007FF650A39DFC

Part of subcall function 00007FF650A3EFC0: memcpy.MSVCRT ref: 00007FF650A3F0A0

memcpy.MSVCRT ref: 00007FF650A39F04

Strings

basic_string::append, xrefs: 00007FF650A39E92, 00007FF650A39FA2

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::append
API String ID: 2619041689-3811946249
Opcode ID: 03d23536ebeb4d4294db75bf42d0466fa742dd0262f7fe9c41642cea724fb563
Instruction ID: a23893f3f6626082782cbdc0cccdb4a49eb278434d610e2dfa49ab84347a918c
Opcode Fuzzy Hash: 03d23536ebeb4d4294db75bf42d0466fa742dd0262f7fe9c41642cea724fb563
Instruction Fuzzy Hash: 9181A333B0964796EE10CF9AD5842BD6351AB49FD8F6C8431DB0DE7796DE2DE4818340

Function 00007FF650A40480 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A4050E
strlen.MSVCRT ref: 00007FF650A4049C

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

memcpy.MSVCRT ref: 00007FF650A40615

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A40576, 00007FF650A40689
basic_string::_S_create, xrefs: 00007FF650A40582, 00007FF650A4067D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$mallocstrlen
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 2479879881-1585226940
Opcode ID: 710194d4991f7a2f98d4c391bc7678ba07feb2b1053acad1e0f12206fa4c42b0
Instruction ID: 71e25d8053d812397608e6c25aec2d00b9f8997ba509fcaa5ed8d2fb7c7e7604
Opcode Fuzzy Hash: 710194d4991f7a2f98d4c391bc7678ba07feb2b1053acad1e0f12206fa4c42b0
Instruction Fuzzy Hash: 55510477A0664375EA119F51E8402F82690EB997E0F8C4736EE6D973D2EF38D594C340

Function 00007FF650A3F700 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3F78E
strlen.MSVCRT ref: 00007FF650A3F71C

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

memcpy.MSVCRT ref: 00007FF650A3F895

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A3F7F6, 00007FF650A3F909
basic_string::_S_create, xrefs: 00007FF650A3F802, 00007FF650A3F8FD

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$mallocstrlen
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 2479879881-1585226940
Opcode ID: ad90a48527fd3c0c35911f54050373d7dc964c86d66f23b1fdff391e4a4f1204
Instruction ID: ba5eeb1fa854281417e63072320b28fe3c6d32939563166d7b484ff21cd74f16
Opcode Fuzzy Hash: ad90a48527fd3c0c35911f54050373d7dc964c86d66f23b1fdff391e4a4f1204
Instruction Fuzzy Hash: C5511373B15683A9EA159F51E8413F826A0AB597E0F8C4736EE2D973D2EF38D584C340

Function 00007FF650A3EA8D Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A3EBEA
memcpy.MSVCRT ref: 00007FF650A3EC16
memset.MSVCRT ref: 00007FF650A3EC6E

Strings

basic_string::replace, xrefs: 00007FF650A3EAB0, 00007FF650A3EAC3, 00007FF650A3EAD2
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3EAB7, 00007FF650A3EAD9

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$memset
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 438689982-3564965661
Opcode ID: ae16e8adeca1e503202f87713b16739ba9d0129533bec58a53f1e86279340467
Instruction ID: e0c46822a6172b66b5f168a19903b4e94a257eba42082f74fe7103cbc8d55121
Opcode Fuzzy Hash: ae16e8adeca1e503202f87713b16739ba9d0129533bec58a53f1e86279340467
Instruction Fuzzy Hash: E941AA72B09647A1EE10CF52E8442B927A1AB49BD4F8D4232DE1DA73E6EE3CE545C340

Function 00007FF650A49590 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A495AD
memcpy.MSVCRT ref: 00007FF650A49612

Strings

basic_string: construction from null is not valid, xrefs: 00007FF650A49628, 00007FF650A496F6
basic_string::_M_create, xrefs: 00007FF650A4961C, 00007FF650A496EA

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string: construction from null is not valid$basic_string::_M_create
API String ID: 3412268980-1223694479
Opcode ID: 73c9ca1c5c9a256c84203b450f9d76c842154531fc75efa77a43ac5dd138d846
Instruction ID: ee7b053c06326a5be38091e73a8de659b13926736667dad54bce5dac4773bf53
Opcode Fuzzy Hash: 73c9ca1c5c9a256c84203b450f9d76c842154531fc75efa77a43ac5dd138d846
Instruction Fuzzy Hash: A041D377A09783A5EE269F65F8802B8A650AB197C8F5C8531CF8D96393EF3CD552C300

Function 00007FF650A4A0B0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A4A0CD
memcpy.MSVCRT ref: 00007FF650A4A132

Strings

basic_string: construction from null is not valid, xrefs: 00007FF650A4A148, 00007FF650A4A216
basic_string::_M_create, xrefs: 00007FF650A4A13C, 00007FF650A4A20A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string: construction from null is not valid$basic_string::_M_create
API String ID: 3412268980-1223694479
Opcode ID: f0c37abbaba62541ab1a03470bd25d44678d9405c139f7e820df20979a977a86
Instruction ID: d71bd991b34993c1c85b4a6c10a904b18a8811e744c3238b25ca3aec5a746d41
Opcode Fuzzy Hash: f0c37abbaba62541ab1a03470bd25d44678d9405c139f7e820df20979a977a86
Instruction Fuzzy Hash: 2B41D277A09783A5EE259F69F8402B86650AB6A788F9C8131CF9D96397DF3CD542C300

Function 00007FF650A51450 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A51473
memcpy.MSVCRT ref: 00007FF650A514E8

Strings

basic_string: construction from null is not valid, xrefs: 00007FF650A514FE, 00007FF650A515BE
basic_string::_M_create, xrefs: 00007FF650A514F2, 00007FF650A515B2

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpywcslen
String ID: basic_string: construction from null is not valid$basic_string::_M_create
API String ID: 982415701-1223694479
Opcode ID: 7dcb490e9a617bd7580b4ff398885b597feb55f7b670acec863021936b865c0b
Instruction ID: c208e101332fcc1c0de9995a03571b030ea33606a1e0ed2b7aa69ebcdaa11afd
Opcode Fuzzy Hash: 7dcb490e9a617bd7580b4ff398885b597feb55f7b670acec863021936b865c0b
Instruction Fuzzy Hash: 9A41A577A15A43A5EE259FA5E8405B82360BB45BA4F5C8631DE2E973D2FF3CD442C300

Function 00007FF650A508D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650A508F3
memcpy.MSVCRT ref: 00007FF650A50968

Strings

basic_string: construction from null is not valid, xrefs: 00007FF650A5097E, 00007FF650A50A3E
basic_string::_M_create, xrefs: 00007FF650A50972, 00007FF650A50A32

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpywcslen
String ID: basic_string: construction from null is not valid$basic_string::_M_create
API String ID: 982415701-1223694479
Opcode ID: e4aa45ff48d31592d6089a704b5feb5c79ab75178d94b4030b005af8b3c3b0b5
Instruction ID: 8d446bcaa0d58b25d8c5b46f019fa79ca1215e79edbbb581c31221f0ccb4fc6a
Opcode Fuzzy Hash: e4aa45ff48d31592d6089a704b5feb5c79ab75178d94b4030b005af8b3c3b0b5
Instruction Fuzzy Hash: 5E41A137A19B43A4EE259F65E8405B82360BF49BA4F5C8631DE2E963D6EF38D542C300

Function 00007FF650A11870 Relevance: 7.5, APIs: 5, Instructions: 34stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 00007FF650A1189D
strcpy_s.MSVCRT ref: 00007FF650A118AA
_strlwr.MSVCRT ref: 00007FF650A118B6
_strlwr.MSVCRT ref: 00007FF650A118BB
strstr.MSVCRT ref: 00007FF650A118C3

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: _strlwrstrcpy_s$strstr
String ID:
API String ID: 3965555556-0
Opcode ID: efbcc2a3401eb8c21b32cfdc81362c962182d1041dcd3ac11cd720865a6a4742
Instruction ID: 9a242e28a32a7a014b315b477c260acf1ecf303b804ea8c23733d7ff834b45f4
Opcode Fuzzy Hash: efbcc2a3401eb8c21b32cfdc81362c962182d1041dcd3ac11cd720865a6a4742
Instruction Fuzzy Hash: CDF08CA175469B56EA15AB12BD003E95714AB87FD1F4C40329E4E63795DD2CE2878304

Function 00007FF650A28E10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF650BC0060,00007FF650BC0068,00007FF650BC00B0,?,?,?,?,00000001,00007FF650A11244), ref: 00007FF650A28FF3

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF650A29174
Unknown pseudo relocation protocol version %d., xrefs: 00007FF650A29196
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF650A2918A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: bcffde39809061c7ea3fb1db8d3c9866b5d6e56b3355d360dec00a378ad89fc3
Instruction ID: c23e71be915799c90a4d48421f6e6c1f992c0dabade35854995416764897522b
Opcode Fuzzy Hash: bcffde39809061c7ea3fb1db8d3c9866b5d6e56b3355d360dec00a378ad89fc3
Instruction Fuzzy Hash: 7691D433E1A517A2FB144BA6DD402796361BF95BA4F5C8331DE1DA37DADE3CE8128200

Function 00007FF650A28770 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A287F5
memcpy.MSVCRT ref: 00007FF650A2880E
free.MSVCRT ref: 00007FF650A28819

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: bfd6b24141c09afc5479d5edd972624a462b0c0cdcee00c7c12b39fd30ec25df
Instruction ID: cfbd55fd58e6c4d8521b8ffa6bf5de1c60c36906a1a20228ff45af18bcd266b7
Opcode Fuzzy Hash: bfd6b24141c09afc5479d5edd972624a462b0c0cdcee00c7c12b39fd30ec25df
Instruction Fuzzy Hash: D3319233E0A653A5FA665B936E003B95250AF85BE0F5C8230ED5DABBC6DE3CE4418240

Function 00007FF8E7B17240 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8E7B172C5
memcpy.MSVCRT ref: 00007FF8E7B172DE
free.MSVCRT ref: 00007FF8E7B172E9

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 54317f0fdeac30bcebbf66fa6848f9a36ed90ca35f5092cf1ed1f2acbf0d2b7e
Instruction ID: 443bc390bc6fe50cf327cc7a19c32c06a224d3fb7c3d5716bdf590d362e1721d
Opcode Fuzzy Hash: 54317f0fdeac30bcebbf66fa6848f9a36ed90ca35f5092cf1ed1f2acbf0d2b7e
Instruction Fuzzy Hash: F7316472F5D64245FA665A91F60037EB651AFC5BE0F588230EE7E0BBC4DE2CA5438342

Function 00007FF650A50EE0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF650A5102B, 00007FF650A510D2, 00007FF650A51172, 00007FF650A51212

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: ea43ae0f9df0b401bb8964806251c7eb8c81abb4b1b8570c762acf9a0f8e89c6
Instruction ID: 762cd7807af7d2fa6eceeca4b7fbe611dccefea507cdc1f721c464b676397ae8
Opcode Fuzzy Hash: ea43ae0f9df0b401bb8964806251c7eb8c81abb4b1b8570c762acf9a0f8e89c6
Instruction Fuzzy Hash: C7C1E277A19B42A1EE188F65D4402BC62A0FB45BE4F5C8732DA2D977D5EF38D592C300

Function 00007FF650A18FF8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A19184

Strings

ty, xrefs: 00007FF650A190EE
y, xrefs: 00007FF650A22F2C
t, xrefs: 00007FF650A22F0A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strlen
String ID: t$ty$y
API String ID: 39653677-1920740250
Opcode ID: e43110739a29eee34cbe1b1be042f1a923287325b8ab67ec124107a2e7bbb47f
Instruction ID: 925f3f994bc8eac163cd2d1ae8c39719cc903b7f40bdb329ec2c46dd270cf686
Opcode Fuzzy Hash: e43110739a29eee34cbe1b1be042f1a923287325b8ab67ec124107a2e7bbb47f
Instruction Fuzzy Hash: D1E1DA725087C286E7568F38C4143E93AA1EB29F4CF0C8135CB894B79ADBBE9495D361

Function 00007FF8E7B07AC8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8E7B07C54

Strings

ty, xrefs: 00007FF8E7B07BBE
y, xrefs: 00007FF8E7B119FC
t, xrefs: 00007FF8E7B119DA

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: strlen
String ID: t$ty$y
API String ID: 39653677-1920740250
Opcode ID: 7cba5d3e039096a41f8a339d5ddadbf7cfaf77b8164e9bc0ce16bdb1ec47ffa2
Instruction ID: 943bd50607620e5bec5b64d67aa07d05ced381fdc0f8edf351402a0aa4e5b13b
Opcode Fuzzy Hash: 7cba5d3e039096a41f8a339d5ddadbf7cfaf77b8164e9bc0ce16bdb1ec47ffa2
Instruction Fuzzy Hash: B2E10B725087C2C6E7568F34C0143ED3AA1EB66F4CF0C8135CB990B799DBBE94959362

Function 00007FF650A51A60 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF650A51BAB, 00007FF650A51C52, 00007FF650A51CF2, 00007FF650A51D92

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: 7da6f4f36f1f73ec5b7a546f4762f1bfe277916da9ea98c50cf4b19c21c515e3
Instruction ID: 658b49b0be5cff0375e6a6b1769b4664f779c07bb2872442574b4272466c3c3e
Opcode Fuzzy Hash: 7da6f4f36f1f73ec5b7a546f4762f1bfe277916da9ea98c50cf4b19c21c515e3
Instruction Fuzzy Hash: 2491E577A15642A0EE149F65D8402B863A4FB45FE4F9C8631DA2EA77D2FF28D592C300

Function 00007FF650A1B39C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF650A1B40C
strcmp.MSVCRT ref: 00007FF650A1B449

Strings

(, xrefs: 00007FF650A226B5

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strcmp
String ID: (
API String ID: 1004003707-3887548279
Opcode ID: 9b5e40d95a969893f422e751823e152ca0812ee9feaaa9d1211389d9f718fa2e
Instruction ID: e6726136220a0940c0eb10b4e0ccf743d1c488c12c0c3e9b46cb28a1ed79bf04
Opcode Fuzzy Hash: 9b5e40d95a969893f422e751823e152ca0812ee9feaaa9d1211389d9f718fa2e
Instruction Fuzzy Hash: EEA16B73A0878792EB659F66C8003E927A1EB55F88F4C8032CF5A5B796DF7DD8848350

Function 00007FF8E7B09E6C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8E7B09EDC
strcmp.MSVCRT ref: 00007FF8E7B09F19

Strings

(, xrefs: 00007FF8E7B11185

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: strcmp
String ID: (
API String ID: 1004003707-3887548279
Opcode ID: b43b284491c0c081eebab03375e6f86cd4740b6b55f0371bbbdcb6c4ad6fc5c4
Instruction ID: 13dfe97d2f1bb50afde710ac7d5bc85fccf14c4ceece1813cbaec7a08d5e78e5
Opcode Fuzzy Hash: b43b284491c0c081eebab03375e6f86cd4740b6b55f0371bbbdcb6c4ad6fc5c4
Instruction Fuzzy Hash: 7DA16A72A08786C5EB558E65D4043ED37A1EB96BC8F488032CF6E0B796DF7DD8848361

Function 00007FF650A1A330 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A1E993

Strings

a, xrefs: 00007FF650A235A2
rm, xrefs: 00007FF650A235B6
a, xrefs: 00007FF650A2359D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strlen
String ID: a$a$rm
API String ID: 39653677-3573517395
Opcode ID: cef21104d7ad3f74ec1e8ac962380a6aeb3cf4f49fc749b6bb651a17baed4aec
Instruction ID: fee9fbcc075971fdbc3d3f001cce2dca2d1290de2372c82e0532eb785e625788
Opcode Fuzzy Hash: cef21104d7ad3f74ec1e8ac962380a6aeb3cf4f49fc749b6bb651a17baed4aec
Instruction Fuzzy Hash: AEB12E739087C2C5E7568F29C4043EC2A91EB25F4CF1C8136CB894B79ADFBE94569361

Function 00007FF8E7B08E00 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8E7B0D463

Strings

a, xrefs: 00007FF8E7B1206D
a, xrefs: 00007FF8E7B12072
rm, xrefs: 00007FF8E7B12086

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: strlen
String ID: a$a$rm
API String ID: 39653677-3573517395
Opcode ID: 002a69ba7db763090160bd936f752d77aff701eea4059a01ae40fa1a6c25be73
Instruction ID: 511e65ad219861d27f19642129e44f70228c4e0769ddff8c1ae89425fda61ba5
Opcode Fuzzy Hash: 002a69ba7db763090160bd936f752d77aff701eea4059a01ae40fa1a6c25be73
Instruction Fuzzy Hash: 15B141729087C2C5E7568F28C0183ED3A91EB55F8CF1C8135CB990F799DBBE94969322

Function 00007FF650A502B0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A50376
memcpy.MSVCRT ref: 00007FF650A503AE
memcpy.MSVCRT ref: 00007FF650A50400

Strings

basic_string::_M_create, xrefs: 00007FF650A50457

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: bf741605dca7d7cde466f161eac2d8138d09c84fa8dd8dd3d4031ec908cf47e8
Instruction ID: 523cd1de80d354b3b633fd54e0bd1309f80d8f612196996f4f14284f16d693cd
Opcode Fuzzy Hash: bf741605dca7d7cde466f161eac2d8138d09c84fa8dd8dd3d4031ec908cf47e8
Instruction Fuzzy Hash: 8461B37BA19657A1EE658B95D0006BD6360FF01BA8F8C8631DA1DA77D6EF3CE542C300

Function 00007FF650A3C890 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A3C93C

Strings

basic_string::append, xrefs: 00007FF650A3C991, 00007FF650A3CAA1
basic_string::resize, xrefs: 00007FF650A3C985, 00007FF650A3CA95

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::append$basic_string::resize
API String ID: 2221118986-1480708123
Opcode ID: e2446b88623f549e9f119c118ec83f2e5278233a0583e365e4bdae2a0f000cbf
Instruction ID: dc8daa46a044ff268bde906921e05a2ef7174861a865b7aff3dacf8a66d1e74f
Opcode Fuzzy Hash: e2446b88623f549e9f119c118ec83f2e5278233a0583e365e4bdae2a0f000cbf
Instruction Fuzzy Hash: FB51A173F49587A1FE10CEAAE8442F966526B49BD4F6C8131CB4DEB3C6DE2DD8808340

Function 00007FF650A383F0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A38473
memcpy.MSVCRT ref: 00007FF650A38573

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A384DF, 00007FF650A385DF
basic_string::_S_create, xrefs: 00007FF650A384D3, 00007FF650A385D3

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$malloc
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 962570267-1585226940
Opcode ID: bcd7b8e0bb605fd17f338f16916ea18180f09fe93d3b2168c78ba2775d3a8f27
Instruction ID: 05528b5c099a9a612e89053641f159d2105250b24fff9bb5f7b9d32cca83fa02
Opcode Fuzzy Hash: bcd7b8e0bb605fd17f338f16916ea18180f09fe93d3b2168c78ba2775d3a8f27
Instruction Fuzzy Hash: E641D233B09783A9EE159F61E8503F82650AB987A4F8C4631EE2D973D2EE3CD584C340

Function 00007FF650A41A70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A41A81
memcpy.MSVCRT ref: 00007FF650A41ADC

Part of subcall function 00007FF650A3EFC0: memcpy.MSVCRT ref: 00007FF650A3F0A0

memcpy.MSVCRT ref: 00007FF650A41BE4

Strings

basic_string::append, xrefs: 00007FF650A41B72

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::append
API String ID: 2619041689-3811946249
Opcode ID: 57455ca2856472766590b3e286d9c08752a8f009bac979aad79564663301f0f8
Instruction ID: 554e8cbe7db1ff844ba934ec393972a6776c282528e2df0082606b76d60015b6
Opcode Fuzzy Hash: 57455ca2856472766590b3e286d9c08752a8f009bac979aad79564663301f0f8
Instruction Fuzzy Hash: 7351A23BB4AA47A5EE10CF9AD58427D2751AB45FC8F5C8431CF4DA7396EE2CE4828340

Function 00007FF650A49050 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A490F0
memcpy.MSVCRT ref: 00007FF650A49124

Strings

basic_string::_M_create, xrefs: 00007FF650A4920A

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: 11b0f2ff1f70f5827a1e3cb1054d91e79c3134cc77fb0c72c24e8241a8e948de
Instruction ID: 76af1f1581f60437e9399a636ed4b6d0944af6538800f374bdb9de008e641433
Opcode Fuzzy Hash: 11b0f2ff1f70f5827a1e3cb1054d91e79c3134cc77fb0c72c24e8241a8e948de
Instruction Fuzzy Hash: BF41253BB0D68771EA618A99D5043BA2261AB45BD8F4C4232CE9DA77C7DF3CE451C300

Function 00007FF8E7B01010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF8E7B01055
_amsg_exit.MSVCRT ref: 00007FF8E7B01083

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 586b16ec889c17369a6c936b766b2ac355b7a3ff8624551193ed95b69be91b28
Instruction ID: 0036a5487c67faf0b6fd30d2655abd0c05eec56c922ce47b4836ea2eb5571bb0
Opcode Fuzzy Hash: 586b16ec889c17369a6c936b766b2ac355b7a3ff8624551193ed95b69be91b28
Instruction Fuzzy Hash: B7416831A4928AC5F7298F86E88073E3395AF9ABC0F544031DE6C57390EE6DE8419353

Function 00007FF650A5399D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A53A73
memcpy.MSVCRT ref: 00007FF650A53AD2

Strings

basic_string::_M_create, xrefs: 00007FF650A539CD
basic_string::append, xrefs: 00007FF650A539B5, 00007FF650A539C1

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create$basic_string::append
API String ID: 3510742995-3923985592
Opcode ID: f5b6580c2867755e87272c6e9276c66cc57067d14edbb6f793dd36406fb642a2
Instruction ID: 10f84aede7fd4e90ca3f6c0abea978d30a2e627860a805cb58119f8ee6de3ea7
Opcode Fuzzy Hash: f5b6580c2867755e87272c6e9276c66cc57067d14edbb6f793dd36406fb642a2
Instruction Fuzzy Hash: 7931B037A19687A1EE20DF65E8502A96310FB45B98F4C8532EE1DA3396DF3CE446C340

Function 00007FF650A1A71B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF650A1A786

Strings

new , xrefs: 00007FF650A228C2
: , xrefs: 00007FF650A1A7C9
, xrefs: 00007FF650A2292B

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: 19c102341e9ef1930413d3f4ab0fe5666a477e0eaf637c8d3b05c4b4a9bea946
Instruction ID: 8ae6871e333d0472ec28433dc4313d0aa9f4762d83b87601ebb2ec7e369dd0ec
Opcode Fuzzy Hash: 19c102341e9ef1930413d3f4ab0fe5666a477e0eaf637c8d3b05c4b4a9bea946
Instruction Fuzzy Hash: 89416B73A44747A1EB259A56D8003E92750AB92FD4F4C4032CF0AAB797DF7DD4859350

Function 00007FF8E7B091EB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8E7B09256

Strings

: , xrefs: 00007FF8E7B09299
, xrefs: 00007FF8E7B113FB
new , xrefs: 00007FF8E7B11392

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: 405b407ec3b6bcd7ab3297b210cf5cf0696d8f345dc47c9aa0295716390fba65
Instruction ID: 34fa0f3c7bc595ec3ea69aec749955e09a9d57f69ba81c185d6243397225e113
Opcode Fuzzy Hash: 405b407ec3b6bcd7ab3297b210cf5cf0696d8f345dc47c9aa0295716390fba65
Instruction Fuzzy Hash: 49419D72B4874681EB5A9B96E8103FD3651EB92FC4F484032CF291B7C6EE7CD8858352

Function 00007FF650A42F90 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650A42FB8
memcpy.MSVCRT ref: 00007FF650A42FE7

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650A43055
basic_string::_S_create, xrefs: 00007FF650A42F92, 00007FF650A43070

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string::_S_construct null not valid$basic_string::_S_create
API String ID: 3412268980-1585226940
Opcode ID: a30b2714f8e9ece9f55c1bd623084c943f00f8f6ebb17da6efc21be67e6267d2
Instruction ID: 8b02590f2584631fbdb09e7bca46a635a00e6f0c41f13ed25bbddac698b87842
Opcode Fuzzy Hash: a30b2714f8e9ece9f55c1bd623084c943f00f8f6ebb17da6efc21be67e6267d2
Instruction Fuzzy Hash: 2421F377A49A47B1EB119B5AE8801BD27A0EF56BC4F8C4431DD8DAB392EE3DD052C340

Function 00007FF650A35270 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650A53F30: malloc.MSVCRT ref: 00007FF650A53F47

memcpy.MSVCRT ref: 00007FF650A35304

Strings

basic_string::substr, xrefs: 00007FF650A35364
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A3536B
basic_string::_S_create, xrefs: 00007FF650A35377

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: mallocmemcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_create$basic_string::substr
API String ID: 4276657696-2722529413
Opcode ID: 627f28bb7b7cbdf64b26f57ac1e737ce6b866fb099b00181185a8744c3fa0156
Instruction ID: 7fcc626f7e484e06b21361e99bb098aa9db1c89375e113f74ad76ac98113f390
Opcode Fuzzy Hash: 627f28bb7b7cbdf64b26f57ac1e737ce6b866fb099b00181185a8744c3fa0156
Instruction Fuzzy Hash: 2221E433B05683A9EE109F65E4902E86760EB58BE4F8C4632DA6D9B3D6DE7CD584C340

Function 00007FF650A379F0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A37A98

Strings

basic_string::_M_create, xrefs: 00007FF650A37AA2
basic_string::substr, xrefs: 00007FF650A37AB1
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A37AB8

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::substr
API String ID: 3510742995-456333499
Opcode ID: 08544d5542c51e39830f9cfac53499bac6c93912f3d2aa8dd0d7d6c5e194e743
Instruction ID: 2332692e4a25abf9870d6c3a39c3956e60ded1f86b8352a68b795f882fc07767
Opcode Fuzzy Hash: 08544d5542c51e39830f9cfac53499bac6c93912f3d2aa8dd0d7d6c5e194e743
Instruction Fuzzy Hash: 1311C333B05647A5EE219F55E9804AD6320AB59FD0B5C4631DA5E973D2EE3CE581C300

Function 00007FF650A453A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650A453CB
memset.MSVCRT ref: 00007FF650A4540B

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 00007FF650A45448
basic_string::_M_create, xrefs: 00007FF650A4541D

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memset
String ID: basic_string::_M_create$basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 2221118986-670834496
Opcode ID: 13457a7cb84797bb620f93aff2bbf038bf025e3f99da619d8659050687440b57
Instruction ID: 82e42883b84a7b146d704d5a0e98649100a34c45379417f24e915551e8f56dbd
Opcode Fuzzy Hash: 13457a7cb84797bb620f93aff2bbf038bf025e3f99da619d8659050687440b57
Instruction Fuzzy Hash: B811C477E09647A1EE249B76F8810BC5261AB56BC0F9C8031CA4EAB353DEBDE5818340

Function 00007FF8E7B01480 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00007FF8E7B1F6EC
_unlock.MSVCRT ref: 00007FF8E7B1F716
calloc.MSVCRT ref: 00007FF8E7B1F76A

Memory Dump Source

Source File: 00000000.00000002.1565550890.00007FF8E7B01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7B00000, based on PE: true

Associated: 00000000.00000002.1565528874.00007FF8E7B00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565578252.00007FF8E7B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565675093.00007FF8E7C58000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565693657.00007FF8E7C59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565711045.00007FF8E7C5F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565763074.00007FF8E7C60000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1565831586.00007FF8E7C63000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8e7b00000_setup_run.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 53cfc9741e1959007db82f7a6280fff8cd2481f2bdb2585ed3602867377ef56e
Instruction ID: 2f7e46069763590dd83b4f597956ec7e25b8e5159949857ba4f86473bdeb78c6
Opcode Fuzzy Hash: 53cfc9741e1959007db82f7a6280fff8cd2481f2bdb2585ed3602867377ef56e
Instruction Fuzzy Hash: C3119D71B0BA4189EA459BA1E4103BD3295AF85BD4F588534EE6D4B3C8EF6CE854C302

Function 00007FF650A36830 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650A368B2

Strings

basic_string::substr, xrefs: 00007FF650A368CB
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650A368D2
basic_string::_M_create, xrefs: 00007FF650A368BC

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::substr
API String ID: 3510742995-456333499
Opcode ID: 39c907fb4268d103fb47ce20a90ce3545c025b3180355763355994c226830fba
Instruction ID: fd77748da54e13ba382b43bdab4adf73eae1459061560096aeefaf7cd83ba354
Opcode Fuzzy Hash: 39c907fb4268d103fb47ce20a90ce3545c025b3180355763355994c226830fba
Instruction Fuzzy Hash: 3E115473A09643A2FE219FA6E4901F9A360EB59B84F5C8435DA8D97342DE2DE581C340

Function 00007FF650A438F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

random_device could not be read, xrefs: 00007FF650A43CCA

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID:
String ID: random_device could not be read
API String ID: 0-883157155
Opcode ID: df090de8d1215837fcb7bb7027643a02f4d100092a77f229298efe81c47d043f
Instruction ID: 5c6ec5f0cec7c45e5e5f1deef451add7f3de875ab571cf775a72d08ec3d721e2
Opcode Fuzzy Hash: df090de8d1215837fcb7bb7027643a02f4d100092a77f229298efe81c47d043f
Instruction Fuzzy Hash: 6801DB3BB09113BAF6215B69E4801786350AB4A7A5F4C4530DE5DB37D2DE3CE886C700

Function 00007FF650A28B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87
Unknown error, xrefs: 00007FF650A28C0C

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: fb2494df61a781927dc97855f126e01a0f933b16e083b8aa5efe5ec374127a84
Instruction ID: 04073b71d383277a99d131e567959cdab4427129ec9e22c8cd7fcc43798b2fb1
Opcode Fuzzy Hash: fb2494df61a781927dc97855f126e01a0f933b16e083b8aa5efe5ec374127a84
Instruction Fuzzy Hash: 64018262908E8AD2D6068F1CD8411EA7374FF9A79AF285331EA8D66321DF2ED543C700

Function 00007FF650A28BF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF650A28BF0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f96e668b9466e6867bcc662321d02f2f4ad65ed2d4b379b632894493d2a5a3d4
Instruction ID: 1c959bc0d44b4e6e77c0580abf1e032c1612424836b410c78e2ccec62faffd3d
Opcode Fuzzy Hash: f96e668b9466e6867bcc662321d02f2f4ad65ed2d4b379b632894493d2a5a3d4
Instruction Fuzzy Hash: F8F04F67908E8992D2028F19E4400EBB371FF5E789F285725EA8D7A665DF2DD5428700

Function 00007FF650A28BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87
Overflow range error (OVERFLOW), xrefs: 00007FF650A28BE0

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 8ac10f9a21144d61385e748f58a86b48f28a53e346cba4490ef006117e42cd98
Instruction ID: b5f8c2e49845d7c121951c91e69a87047935da8b35365ad1942d414f52acf919
Opcode Fuzzy Hash: 8ac10f9a21144d61385e748f58a86b48f28a53e346cba4490ef006117e42cd98
Instruction Fuzzy Hash: 69F04F63908E8992D2028F18E8400EBB370FF5E789F285735EA8D76665DF2DD5428700

Function 00007FF650A28BD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87
Partial loss of significance (PLOSS), xrefs: 00007FF650A28BD0

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 8de20a3abdc4ebcc6a70fcdf327e612a9c6f9fb86ae6a8a5895c362f73619deb
Instruction ID: f962f6cd56dd3ac5c35840b4f08a18a2140faeef2ff05dcc7415a51cf81f4436
Opcode Fuzzy Hash: 8de20a3abdc4ebcc6a70fcdf327e612a9c6f9fb86ae6a8a5895c362f73619deb
Instruction Fuzzy Hash: 70F04F63908E8992D6028F18E8400EBB370FF5E789F285735EA8D76665DF2DD5428700

Function 00007FF650A28BC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

Argument domain error (DOMAIN), xrefs: 00007FF650A28BC0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: eae4db3c51d27c9f10e829195f5309f9fe04053ad4445b06bc0f5474d61dcecf
Instruction ID: 4b7e24d14189a3a35a71dd35fab3b60a028d6d0949ab7e37489cc7bb9a85087a
Opcode Fuzzy Hash: eae4db3c51d27c9f10e829195f5309f9fe04053ad4445b06bc0f5474d61dcecf
Instruction Fuzzy Hash: 42F04F63908E8992D2028F1CE8400EBB370FF5E789F285735EA8D76665DF2DD5428700

Function 00007FF650A28C00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87
Total loss of significance (TLOSS), xrefs: 00007FF650A28C00

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 5d717b50cbbbcd3046eab9ade0a685ea58ef741d6b88ac452b9e502f3836b93c
Instruction ID: 9286540916712ff04a65b4ea175990d7df70cf9ee9010d39927efbebd1fa7881
Opcode Fuzzy Hash: 5d717b50cbbbcd3046eab9ade0a685ea58ef741d6b88ac452b9e502f3836b93c
Instruction Fuzzy Hash: E3F04F67908E8992D6028F18E4400EBB370FF5E789F2C5725EA8D76625DF2DD5428700

Function 00007FF650A28B58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF650A28BA0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF650A28B87
Argument singularity (SIGN), xrefs: 00007FF650A28B58

Memory Dump Source

Source File: 00000000.00000002.1565335749.00007FF650A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650A10000, based on PE: true

Associated: 00000000.00000002.1565314474.00007FF650A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565370743.00007FF650A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565390076.00007FF650A56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565494617.00007FF650BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1565511593.00007FF650BC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650a10000_setup_run.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 0b2b7bfa8aab3d0fe8c0960d9098e595bb0e9222e7c9299ecbdedb2ad25dbdab
Instruction ID: 4d3d9c30d5581b6f06413cea5e95478546ab48f2afea52fe2f3370c36e323ebf
Opcode Fuzzy Hash: 0b2b7bfa8aab3d0fe8c0960d9098e595bb0e9222e7c9299ecbdedb2ad25dbdab
Instruction Fuzzy Hash: 4AF06223904E8982D2028F18E4400EBB370FF5E789F185325EE8D3A225DF29D5428700

Analysis Process: setup_run.exePID: 6156, Parent PID: 1304COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 000000014007D670 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 000000014007D6B1
GetSystemMetrics.USER32 ref: 000000014007D6BF
GetSystemMetrics.USER32 ref: 000000014007D6CD
GetSystemMetrics.USER32 ref: 000000014007D6DB
GetDC.USER32 ref: 000000014007D6E5
GetDeviceCaps.GDI32 ref: 000000014007D6FB
GetDeviceCaps.GDI32 ref: 000000014007D70B
CreateCompatibleDC.GDI32 ref: 000000014007D718
CreateCompatibleBitmap.GDI32 ref: 000000014007D730
SelectObject.GDI32 ref: 000000014007D746
BitBlt.GDI32 ref: 000000014007D77C
SHCreateMemStream.SHLWAPI ref: 000000014007D7B2
SelectObject.GDI32 ref: 000000014007D7C8
DeleteDC.GDI32 ref: 000000014007D7D1
ReleaseDC.USER32 ref: 000000014007D7DC
DeleteObject.GDI32 ref: 000000014007D7E5
EnterCriticalSection.KERNEL32 ref: 000000014007D8DC
LeaveCriticalSection.KERNEL32 ref: 000000014007D8EE
IStream_Size.SHLWAPI ref: 000000014007D925
IStream_Reset.SHLWAPI ref: 000000014007D936
IStream_Read.SHLWAPI ref: 000000014007D9BB
SelectObject.GDI32 ref: 000000014007DA15
DeleteDC.GDI32 ref: 000000014007DA1E
ReleaseDC.USER32 ref: 000000014007DA2B
DeleteObject.GDI32 ref: 000000014007DA34

Strings

, xrefs: 000000014007D751

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: d212eff64643cacb1999093992a5ebe4d6820dca1c4ef29053fa3ebfdf322034
Instruction ID: c761e3dcf2ca50607f711692ae3d5fa1a73b19c118fb76df69a1b7be19708792
Opcode Fuzzy Hash: d212eff64643cacb1999093992a5ebe4d6820dca1c4ef29053fa3ebfdf322034
Instruction Fuzzy Hash: 9BB1FB72218BC086E761DB22F85439EB7A5F799BC0F409515EA8E43B69DF3CC085CB50

Function 00000001400B6780 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00000001400B682D
GetLastError.KERNEL32 ref: 00000001400B6837
FindFirstFileW.KERNEL32 ref: 00000001400B684E
GetLastError.KERNEL32 ref: 00000001400B685A
FindClose.KERNEL32 ref: 00000001400B6868
__std_fs_open_handle.LIBCPMT ref: 00000001400B68FB
CloseHandle.KERNEL32 ref: 00000001400B6911
CloseHandle.KERNEL32 ref: 00000001400B6A84

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: fac0728d82d401ae17cd6527dfa7cec771f605f4684e4a6118f8e15f273416ac
Instruction ID: 4c555171fdb32269f993dbe320281d8da3589f2165e7780f8660e14b5d5a2af7
Opcode Fuzzy Hash: fac0728d82d401ae17cd6527dfa7cec771f605f4684e4a6118f8e15f273416ac
Instruction Fuzzy Hash: 85917136604E4186EA668FB7A8147EA27A4EB9D7F4F144324BBBA476F4DE3CC4058700

Function 000000014007F1A0 Relevance: 26.6, APIs: 4, Strings: 10, Instructions: 2133timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 000000014007F4D0

Strings

time, xrefs: 0000000140080B81
computer_name, xrefs: 0000000140080494
[UTC, xrefs: 000000014007F4A3
cpu, xrefs: 0000000140080158
timezone, xrefs: 0000000140080F54
user_name, xrefs: 000000014007FF6F
ram, xrefs: 000000014008039B
%d-%m-%Y, %H:%M:%S, xrefs: 0000000140080A9F
system, xrefs: 000000014007FF24, 0000000140080013, 0000000140080109, 0000000140080203, 000000014008034B, 0000000140080445, 0000000140080538, 00000001400806BF, 00000001400808B0, 0000000140080B31, 0000000140080CF4, 0000000140080F0E, 00000001400810AD, 0000000140081257, 000000014008131D
gpu, xrefs: 0000000140080062

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: InformationTimeZone
String ID: %d-%m-%Y, %H:%M:%S$[UTC$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 565725191-1610854563
Opcode ID: 5706e5f6b44d1602c0a23a6b8bfe154f2a76095b40e57c506fe9ca51188122be
Instruction ID: f19afbfd6253ee69705efd8f0bb5942488cb11dc7c174a9ff5b99dff500e8289
Opcode Fuzzy Hash: 5706e5f6b44d1602c0a23a6b8bfe154f2a76095b40e57c506fe9ca51188122be
Instruction Fuzzy Hash: BE236C73614BC485EB22CB66E8503DE77A1F799798F405316EB9D07BA9EB78C290C700

Function 000000014007FB30 Relevance: 22.5, APIs: 3, Strings: 9, Instructions: 1516COMMON

Download Yara Rule

APIs

Part of subcall function 000000014007E770: GetCurrentHwProfileW.ADVAPI32 ref: 000000014007E7AC

Part of subcall function 000000014007E040: EnumDisplayDevicesW.USER32 ref: 000000014007E157
Part of subcall function 000000014007E040: EnumDisplayDevicesW.USER32 ref: 000000014007E1FB

Part of subcall function 000000014007DF60: RegGetValueA.ADVAPI32 ref: 000000014007DFC9

Part of subcall function 000000014007DC50: GetUserNameW.ADVAPI32 ref: 000000014007DC95

Part of subcall function 000000014007DCF0: GetComputerNameW.KERNEL32 ref: 000000014007DD35

GlobalMemoryStatusEx.KERNEL32 ref: 00000001400802BC
wcsftime.LIBCMT ref: 0000000140080AB2
GetModuleFileNameA.KERNEL32 ref: 0000000140080C46

Strings

time, xrefs: 0000000140080B81
computer_name, xrefs: 0000000140080494
cpu, xrefs: 0000000140080158
timezone, xrefs: 0000000140080F54
user_name, xrefs: 000000014007FF6F
ram, xrefs: 000000014008039B
%d-%m-%Y, %H:%M:%S, xrefs: 0000000140080A9F
system, xrefs: 000000014007FF24, 0000000140080013, 0000000140080109, 0000000140080203, 000000014008034B, 0000000140080445, 0000000140080538, 00000001400806BF, 00000001400808B0, 0000000140080B31, 0000000140080CF4, 0000000140080F0E, 00000001400810AD, 0000000140081257, 000000014008131D
gpu, xrefs: 0000000140080062

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Name$DevicesDisplayEnum$ComputerCurrentFileGlobalMemoryModuleProfileStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 2509368203-1182675529
Opcode ID: a24d453f497ec5ccc222e2942bc6fab3b7197f1e183f1ad2a7c7808663fb3d21
Instruction ID: b9e2a3095aa66bd1602ac9c2c660310c59abd0cb7c4daf2a31422e61ea064eff
Opcode Fuzzy Hash: a24d453f497ec5ccc222e2942bc6fab3b7197f1e183f1ad2a7c7808663fb3d21
Instruction Fuzzy Hash: 75F26D73614BC485DB22CF66E8503DE77A1F799798F409216EB9D17BA9EB38C290C700

Function 000000014003B6E0 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000000014003B7CC
GetProcAddress.KERNEL32 ref: 000000014003B8D7
GetProcAddress.KERNEL32 ref: 000000014003B999
GetProcAddress.KERNEL32 ref: 000000014003BA13
GetProcAddress.KERNEL32 ref: 000000014003BA95
GetProcAddress.KERNEL32 ref: 000000014003BB0F
GetProcAddress.KERNEL32 ref: 000000014003BB93
FreeLibrary.KERNEL32 ref: 000000014003C6C1

Strings

vault, xrefs: 000000014003C523
cannot use push_back() with , xrefs: 000000014003C70F
system, xrefs: 000000014003C4CD

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2449869053-1741236777
Opcode ID: 67fb20d40bc609d5e964c0f0a05f879f6765ac2f20643024e0551a5aa9effece
Instruction ID: 535b6c07042325de8a0606d6e2dee6c2713480c040d512ea1054d7922c1c3a75
Opcode Fuzzy Hash: 67fb20d40bc609d5e964c0f0a05f879f6765ac2f20643024e0551a5aa9effece
Instruction Fuzzy Hash: 71926D72205BC489DB62CF66E8843DE73A4F749798F504216EB9C5BBA9DF34C694C700

Function 0000000140074060 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 163
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140077330: GetCurrentProcess.KERNEL32 ref: 000000014007736B
Part of subcall function 0000000140077330: OpenProcessToken.ADVAPI32 ref: 000000014007737E
Part of subcall function 0000000140077330: GetTokenInformation.ADVAPI32 ref: 00000001400773BA
Part of subcall function 0000000140077330: CloseHandle.KERNEL32 ref: 00000001400773DB

ExitProcess.KERNEL32 ref: 00000001400740A7
OpenMutexA.KERNEL32 ref: 00000001400741C2
ExitProcess.KERNEL32 ref: 00000001400741D2
CreateMutexA.KERNEL32 ref: 00000001400741F1
ExitProcess.KERNEL32 ref: 0000000140074217

Part of subcall function 0000000140077670: GetModuleFileNameW.KERNEL32 ref: 00000001400776BA

Part of subcall function 0000000140082310: CoInitializeEx.OLE32 ref: 000000014008237A

Strings

SeDebugPrivilege, xrefs: 00000001400740AE
SeImpersonatePrivilege, xrefs: 00000001400740BA

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Process$Exit$MutexOpenToken$CloseCreateCurrentFileHandleInformationInitializeModuleName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 4279366119-3768118664
Opcode ID: ea9adccf4266fa564f3c75ff40f6c9aa00d003b5411e4f7f74ef0c39a7a00c1b
Instruction ID: 934be75c379623594f19c2476a79c6af4c698a7c3e3469cdbae4336d1c144a67
Opcode Fuzzy Hash: ea9adccf4266fa564f3c75ff40f6c9aa00d003b5411e4f7f74ef0c39a7a00c1b
Instruction Fuzzy Hash: 1C617D72618B8481FA16AB66B4513EE63A0FB8D7D0F405215FB9D47ABBDF3CC0818B11

Function 000000014007CD80 Relevance: 13.9, APIs: 9, Instructions: 379
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000000014007CFA7

Part of subcall function 00000001400A9B00: AcquireSRWLockExclusive.KERNEL32 ref: 00000001400A9B10

InternetOpenUrlA.WININET ref: 000000014007D018
HttpQueryInfoW.WININET ref: 000000014007D070
HttpQueryInfoW.WININET ref: 000000014007D100
InternetQueryDataAvailable.WININET ref: 000000014007D144
InternetReadFile.WININET ref: 000000014007D209
InternetQueryDataAvailable.WININET ref: 000000014007D2D4
InternetCloseHandle.WININET ref: 000000014007D37E
Concurrency::cancel_current_task.LIBCPMT ref: 000000014007D3BF

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen$AcquireCloseConcurrency::cancel_current_taskExclusiveFileHandleLockRead
String ID:
API String ID: 3609429561-0
Opcode ID: dbfbd13b73a7ea11e21b3859da353f2453185fdcc826e5489a0c25caf29e2933
Instruction ID: 3029d17a66785b724e0495933c7d904ff80b4dac0c59341df4a9ef07d0211fd6
Opcode Fuzzy Hash: dbfbd13b73a7ea11e21b3859da353f2453185fdcc826e5489a0c25caf29e2933
Instruction Fuzzy Hash: E0024B32A14B9486EB11CB6AE84039E77B5F799B94F204216FF8C57BA9DF78C181C740

Function 0000000140076B30 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSize.KERNEL32 ref: 0000000140076D71
SetFilePointer.KERNEL32 ref: 0000000140076E24
ReadFile.KERNEL32 ref: 0000000140076E53

Strings

ios_base::eofbit set, xrefs: 0000000140077294
ios_base::badbit set, xrefs: 0000000140077281, 00000001400772FF
exists, xrefs: 00000001400772DA
ios_base::failbit set, xrefs: 000000014007728D

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: File$PointerReadSize
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 404940565-15404121
Opcode ID: b49f10f408cf54b8073f20f732a0948432a703d8e82ef52778e75730b026a32b
Instruction ID: 6a266a4d215d5acaa4205c9aba5ef278ac21c9c5156ce4988b8f4d698187b97a
Opcode Fuzzy Hash: b49f10f408cf54b8073f20f732a0948432a703d8e82ef52778e75730b026a32b
Instruction Fuzzy Hash: 4F320632611BC489EB21DF35D8807DD37A1F789B88F548226EB8D5BBA9EB74C645C700

Function 000000014009AC80 Relevance: 10.8, APIs: 7, Instructions: 286
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009B0B2

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4d8293ae9f22f5597d74cdc2fcdcb919c76595381469856d4337612cb34eee02
Instruction ID: e66a9197b9e49f6dfc297b1b45ac88affdbe93d9cb16c0411d435ac94863a586
Opcode Fuzzy Hash: 4d8293ae9f22f5597d74cdc2fcdcb919c76595381469856d4337612cb34eee02
Instruction Fuzzy Hash: 8AC1007220468896EB639B6390543EE77A0F78ABE4F454105FB5A077F6CB7CC8A9C341

Function 000000014009E1AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 000000014009E1DA

Part of subcall function 000000014009D640: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D654

_get_daylight.LIBCMT ref: 000000014009E1EB

Part of subcall function 000000014009D5E0: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D5F4

_get_daylight.LIBCMT ref: 000000014009E1FC

Part of subcall function 000000014009D610: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D624

Part of subcall function 0000000140098BD0: HeapFree.KERNEL32 ref: 0000000140098BE6
Part of subcall function 0000000140098BD0: GetLastError.KERNEL32 ref: 0000000140098BF0

GetTimeZoneInformation.KERNEL32 ref: 000000014009E223

Strings

Eastern Standard Time, xrefs: 000000014009E2C9
Eastern Summer Time, xrefs: 000000014009E2E1

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 4e844cfee981593521fa925c9a963193729182ac40cf2f9b5ee9636f632d1d2a
Instruction ID: 9069a5a7526ebf58f9b65de34f9c7423cbc9874846cff8cba74a8ba9ff9cfcd9
Opcode Fuzzy Hash: 4e844cfee981593521fa925c9a963193729182ac40cf2f9b5ee9636f632d1d2a
Instruction Fuzzy Hash: 68515E3221468086E722EF27E9917DA77A0F78CBC4F455126FB4987BB6DB38C941CB40

Function 0000000140086610 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00000001400867C4
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400867D2
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086A55
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086A63

Strings

value, xrefs: 00000001400866EA, 0000000140086983

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: 432aff35094455ab5d12ebf4f686fae32b6ab6da6044c98e889633a83685ba87
Instruction ID: 40c051a3d453efa789cd592290869c58a4371fdcae029fe46d21acfc2999a0c6
Opcode Fuzzy Hash: 432aff35094455ab5d12ebf4f686fae32b6ab6da6044c98e889633a83685ba87
Instruction Fuzzy Hash: 43028B33624BC485EB028B76D4403ED6B61F7997E4F505616FBAE53AEADB38C281C700

Function 000000014003C780 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003C7CA
Process32FirstW.KERNEL32 ref: 000000014003C80C
Process32NextW.KERNEL32 ref: 000000014003CA03
CloseHandle.KERNEL32 ref: 000000014003CC7A

Strings

[PID: , xrefs: 000000014003C84E

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 420147892-2210602247
Opcode ID: 142cd923d8e1db6475d1b13c17b16669045c4546525b061bf1a4bec42dd3539f
Instruction ID: 543c1ae47af1575e82cb81e75552ea585bb0cca8fb578dddf2a96ea3aa24745b
Opcode Fuzzy Hash: 142cd923d8e1db6475d1b13c17b16669045c4546525b061bf1a4bec42dd3539f
Instruction Fuzzy Hash: 52E19E72614BC485EB22DB26E8843DE77A1F7897A8F505215FB9D47BA9DF38C290C700

Function 0000000140083540 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014008358E
OpenProcessToken.ADVAPI32 ref: 00000001400835A1
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400835C2
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140083608
CloseHandle.KERNEL32 ref: 0000000140083628

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 2b7707f386e536716065defbee947cde64a60e4a18e9853ec8f3d8902209bb5d
Instruction ID: 6de46ed52ba7d7cb8401f60b49647101088c40efb7aee6d2928c38d29ee30ce6
Opcode Fuzzy Hash: 2b7707f386e536716065defbee947cde64a60e4a18e9853ec8f3d8902209bb5d
Instruction Fuzzy Hash: E2214832218B8092E7618B22F44439EB7A0FB8CBD4F559126FB8947B68DF7DC5558B40

Function 000000014007C570 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000014007C74C
recv.WS2_32 ref: 000000014007CC2C
closesocket.WS2_32 ref: 000000014007CC3E
WSACleanup.WS2_32 ref: 000000014007CC44

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: recv$Cleanupclosesocket
String ID:
API String ID: 146070474-0
Opcode ID: 67acad71df19ebe51cd8ae3a9cdddeddadc0ebf3f9dede90a9e16a1a429c1b3f
Instruction ID: f407d13343cff1ae215ffc5d9839f8494f44057dd466eefff5e1905a477beef5
Opcode Fuzzy Hash: 67acad71df19ebe51cd8ae3a9cdddeddadc0ebf3f9dede90a9e16a1a429c1b3f
Instruction Fuzzy Hash: DE127B72618BC481EA229B16E4447DEA761F79D7E0F505216FBAD07AEADF7CC480CB00

Function 000000014003AB80 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32 ref: 000000014003ABE2
CredFree.ADVAPI32 ref: 000000014003B606

Strings

cannot use push_back() with , xrefs: 000000014003B654

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 3403564193-4122110429
Opcode ID: 1864a17b870cac0eca4980edb2f86cdca46595ff94a30cda55d04bcc751a648d
Instruction ID: 317d4487182a9a7df5130aa327217d9a1a1f05098988daea6262c9696d6e6e69
Opcode Fuzzy Hash: 1864a17b870cac0eca4980edb2f86cdca46595ff94a30cda55d04bcc751a648d
Instruction Fuzzy Hash: 14625172614BC489EB22CF65E8803DE7761F789798F505316EBAD17BA9DB38C294C700

Function 0000000140074330 Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140074393
ShellExecuteW.SHELL32 ref: 00000001400749DA

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: ExecuteFileModuleNameShell
String ID:
API String ID: 1703432166-0
Opcode ID: 84cdef99f10eb16fc2101d40e68c27580cf72ad7793b9300f0d258b433cfa6cc
Instruction ID: 11ba445dd14254953022699e21d7a2e373c1e9d01dd83dc4c40377bb2d7534f0
Opcode Fuzzy Hash: 84cdef99f10eb16fc2101d40e68c27580cf72ad7793b9300f0d258b433cfa6cc
Instruction Fuzzy Hash: 45121632625F848ADB418F2AE88179EB3A4F788794F505215FFDD57B68EB38C190C700

Function 000000014006FB20 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 000000014006FB78
LocalFree.KERNEL32 ref: 000000014006FC0A

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 18756fe114b58166e112b23e4a63fdcb86c67aa2f41ad9783cf6d16d7dcacca7
Instruction ID: 873a14662c3c813e27aea882096f0e286e411631dc22a23aca4a5841f0c88906
Opcode Fuzzy Hash: 18756fe114b58166e112b23e4a63fdcb86c67aa2f41ad9783cf6d16d7dcacca7
Instruction Fuzzy Hash: 70415232618B80CAE3218F71E8503ED37A5F75878CF444629AB8C07E9ADB79C2A4C744

Function 000000014007DC50 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 000000014007DC95

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 52415b4c9ca7df9c638af8cbd33fdd6586cec55d09137bf87cd5dcbd740ea69d
Instruction ID: 6582c7848d4419c196cd45f73649770a42aee45a7f840da9ad07b44588067aa7
Opcode Fuzzy Hash: 52415b4c9ca7df9c638af8cbd33fdd6586cec55d09137bf87cd5dcbd740ea69d
Instruction Fuzzy Hash: 06016D3221878186E762DF22F84039AB3A4F79C788F540226BB8D43669DBBCC194CB40

Function 0000000140076700 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140076480: InitializeCriticalSectionEx.KERNEL32 ref: 00000001400764D1
Part of subcall function 0000000140076480: GetLastError.KERNEL32 ref: 00000001400764DB

EnterCriticalSection.KERNEL32 ref: 0000000140076741
GdiplusStartup.GDIPLUS ref: 0000000140076768
LeaveCriticalSection.KERNEL32 ref: 0000000140076776
LeaveCriticalSection.KERNEL32 ref: 00000001400767A4
GdipGetImageEncodersSize.GDIPLUS ref: 00000001400767B2
GdipGetImageEncoders.GDIPLUS ref: 0000000140076846
GdipCreateBitmapFromScan0.GDIPLUS ref: 0000000140076910
GdipSaveImageToStream.GDIPLUS ref: 000000014007692E
GdipDisposeImage.GDIPLUS ref: 0000000140076993
GdipDisposeImage.GDIPLUS ref: 00000001400769A7

Strings

&, xrefs: 000000014007690A

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: 358e588af60fe387fe9b4ba1d174742ca31f0a37a50e745b7da2721fb6c209c1
Instruction ID: 54d8ac4dbd22dc960eb085a9fb90d560ef2c64957ae40f642de95e25eafbcb97
Opcode Fuzzy Hash: 358e588af60fe387fe9b4ba1d174742ca31f0a37a50e745b7da2721fb6c209c1
Instruction Fuzzy Hash: C1913C32600B418AEB52DF32E8407D937A4F79CBD8F558215EB4A57BA4DF38C596C340

Function 00000001400777B0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 224
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007D3D0: GetUserGeoID.KERNEL32 ref: 000000014007D3F7
Part of subcall function 000000014007D3D0: GetGeoInfoA.KERNEL32 ref: 000000014007D411
Part of subcall function 000000014007D3D0: GetGeoInfoA.KERNEL32 ref: 000000014007D461

WSAStartup.WS2_32 ref: 0000000140077929
socket.WS2_32 ref: 0000000140077946
htons.WS2_32 ref: 0000000140077967
inet_pton.WS2_32 ref: 0000000140077994
connect.WS2_32 ref: 00000001400779AE
closesocket.WS2_32 ref: 00000001400779C4
WSACleanup.WS2_32 ref: 00000001400779CA

Part of subcall function 00000001400769E0: SHGetKnownFolderPath.SHELL32 ref: 0000000140076A39
Part of subcall function 00000001400769E0: CoTaskMemFree.OLE32 ref: 0000000140076AFA

Strings

geo, xrefs: 00000001400778D6
system, xrefs: 0000000140077895

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Info$CleanupFolderFreeKnownPathStartupTaskUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 469733038-2364779556
Opcode ID: 8b9b473d5a4837d82b1860b41b8f4eef4e0d25caa3796aee1d11ae681c698360
Instruction ID: 7c7329f7b1d46f12d107bb233c4f25c9d5ed07d2676295853f9ffbe0a9706ae6
Opcode Fuzzy Hash: 8b9b473d5a4837d82b1860b41b8f4eef4e0d25caa3796aee1d11ae681c698360
Instruction Fuzzy Hash: ACB17C72B11B4089FB02DBA6E4903DC3372E758BE8F415216EB6D276B9DE38C556C340

Function 00000001400BC1A8 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400BBD88: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBDC9
Part of subcall function 00000001400BBD88: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBE49
Part of subcall function 00000001400BBD88: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBE9D
Part of subcall function 00000001400BBD88: _get_daylight.LIBCMT ref: 00000001400BBEF5

CreateFileW.KERNEL32 ref: 00000001400BC2AE
CreateFileW.KERNEL32 ref: 00000001400BC2FE
GetLastError.KERNEL32 ref: 00000001400BC32E
GetFileType.KERNEL32 ref: 00000001400BC343
GetLastError.KERNEL32 ref: 00000001400BC34D
CloseHandle.KERNEL32 ref: 00000001400BC380
CloseHandle.KERNEL32 ref: 00000001400BC4E4
CreateFileW.KERNEL32 ref: 00000001400BC519
GetLastError.KERNEL32 ref: 00000001400BC528

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 753a868522920c13805243186adf8c4e2374246b5d7d68e956884b52a4ec5eaf
Instruction ID: df724e996bf74a73b2ecd8b47eed1057070da7b5f500da81edbc3815030807dd
Opcode Fuzzy Hash: 753a868522920c13805243186adf8c4e2374246b5d7d68e956884b52a4ec5eaf
Instruction Fuzzy Hash: A4C18D36720A4486EB12CFAAD4917ED3771E78DBE8F015215EB2A9B7E4CB34C556C340

Function 0000000140076560 Relevance: 9.0, APIs: 6, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteObject.GDI32 ref: 00000001400765A3
EnterCriticalSection.KERNEL32 ref: 00000001400765B5
EnterCriticalSection.KERNEL32 ref: 00000001400765C5
GdiplusShutdown.GDIPLUS ref: 00000001400765D3
LeaveCriticalSection.KERNEL32 ref: 00000001400765E0
LeaveCriticalSection.KERNEL32 ref: 00000001400765EA

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 77912509c6f337dc7d8ec125c4cf1fa201effe9473ecc654b93c865c04cae22e
Instruction ID: 8f8e3ab57aafae9fa0c44c134ec2e5ace7f3b90b3fb38e10477330c877be6374
Opcode Fuzzy Hash: 77912509c6f337dc7d8ec125c4cf1fa201effe9473ecc654b93c865c04cae22e
Instruction Fuzzy Hash: B711F832112B5081EB519F26F89439D73A4FB48FA8F684215EB6E076B4DF39C997C350

Function 0000000140077330 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014007736B
OpenProcessToken.ADVAPI32 ref: 000000014007737E
GetTokenInformation.ADVAPI32 ref: 00000001400773BA
CloseHandle.KERNEL32 ref: 00000001400773DB

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 00b0df4dc7f9694baae5005e156e817c13b0319292be5f7fe7feab606ef2cbc6
Instruction ID: e251ca9ee9b19143fdc28a295a5a21afa9212cdef8e06ded5e80fd261c009666
Opcode Fuzzy Hash: 00b0df4dc7f9694baae5005e156e817c13b0319292be5f7fe7feab606ef2cbc6
Instruction Fuzzy Hash: E411E932218B8086E7519F16F84078BB6A0FB88BC0F549126FB9D57B68CF3CC556CB40

Function 000000014007C8F7 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000014007CC2C
closesocket.WS2_32 ref: 000000014007CC3E
WSACleanup.WS2_32 ref: 000000014007CC44

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: a677aa6526d52f58164388ec3fdd38fb54d2159b5e6819c85613790274bae36f
Instruction ID: 41c5684b3dace45f81b32348e7e9067f3d0d19d94502cff9decf575b6d30c7f1
Opcode Fuzzy Hash: a677aa6526d52f58164388ec3fdd38fb54d2159b5e6819c85613790274bae36f
Instruction Fuzzy Hash: 6E917F73A14BC481EA22CB26E4447DE6761E7997E0F505316EBAD07AEADF7CC481C740

Function 000000014007EC51 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007EC69
RegEnumKeyExA.ADVAPI32 ref: 000000014007ECAE
RegCloseKey.ADVAPI32 ref: 000000014007EEA4

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 4f99731cfaa9b943471568a948d662e665ccdb5f0871fe36ab587b1e6d483eb7
Instruction ID: 42d7a9f722af6103cc879de361e797e2247a4f750486cd97bab3717875c1bf13
Opcode Fuzzy Hash: 4f99731cfaa9b943471568a948d662e665ccdb5f0871fe36ab587b1e6d483eb7
Instruction Fuzzy Hash: 20718D72A04B8485EB21CB66E44439EB761F7997E8F104316FBAD17AE9DB78D4C1C700

Function 000000014007EBE0 Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007EC69
RegEnumKeyExA.ADVAPI32 ref: 000000014007ECAE

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 46bd58a12b008dc4fb39d495499ba587134d0b1724cd67ac3c87297145181dbc
Instruction ID: dd1ce02d20620aeea316ecbb8d9834f8feed39daa1cb3e2fdaa5b0edd2f75d84
Opcode Fuzzy Hash: 46bd58a12b008dc4fb39d495499ba587134d0b1724cd67ac3c87297145181dbc
Instruction Fuzzy Hash: 8F315C32611B8586E722CBA2E85479E77A4F788798F604216EF9917A64DF38C592C700

Function 000000014007E91B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007E937
RegQueryValueExA.ADVAPI32 ref: 000000014007E976
RegCloseKey.ADVAPI32 ref: 000000014007EA14

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0a46b1652e2b08d48d0e6dea534822a758205615231c0f490cf0df5ec8ba0322
Instruction ID: b9c17589a7c69ae175bdbf0880ed7a2a362000434427c19a8a3682823404ca15
Opcode Fuzzy Hash: 0a46b1652e2b08d48d0e6dea534822a758205615231c0f490cf0df5ec8ba0322
Instruction Fuzzy Hash: 8C218472715BC481EA518B26E4503AEA760F7DD7D4F505212FB8D43AB9EE3CC084CB40

Function 000000014007D3D0 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 000000014007D3F7
GetGeoInfoA.KERNEL32 ref: 000000014007D411
GetGeoInfoA.KERNEL32 ref: 000000014007D461

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: eff57a31dd390740acec67971f514cd0a98d129192d656519c06aa52eb4ab1bf
Instruction ID: 985ca9368a60d1c983616f1c26af2aaf6d0aaa99dd4a8e9c06da54f9f73d072e
Opcode Fuzzy Hash: eff57a31dd390740acec67971f514cd0a98d129192d656519c06aa52eb4ab1bf
Instruction Fuzzy Hash: DB119D72614B8183E7118F62F45475EB7A1FB94BC8F045225EB8903B69DF7CD490CB84

Function 000000014003F1B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014003F39C

Strings

, xrefs: 000000014003F233

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-3916222277
Opcode ID: 14adb9188745a0eb55025849a16a4a6f16f804bdfb3dbea74f194ca0d799a2ec
Instruction ID: c9a4cc12e588ea41b4af3288d2b98ff64d36375d61920446b71fc5dfaa69309d
Opcode Fuzzy Hash: 14adb9188745a0eb55025849a16a4a6f16f804bdfb3dbea74f194ca0d799a2ec
Instruction Fuzzy Hash: 28513676304B4496EB168F2AD5943AE33A0F788BD4F984622EF5D43BA5CF78D5A1D300

Function 0000000140045610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014004576B

Strings

cannot use operator[] with a numeric argument with , xrefs: 0000000140045B39

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot use operator[] with a numeric argument with
API String ID: 118556049-485864652
Opcode ID: c9011d7d9fad354859173e632fcf9d1f0852c6eb0fc6f6413100ace60f3e9c16
Instruction ID: 07664c75f5100bd845ce14f87bd1fa582affa661629aaadab39adbd3ef6eb26d
Opcode Fuzzy Hash: c9011d7d9fad354859173e632fcf9d1f0852c6eb0fc6f6413100ace60f3e9c16
Instruction Fuzzy Hash: 5431D272305B8085EE12AB17B5443DD6365A70CBE5F990635BF6D0B7E6DE38C481C304

Function 000000014007E770 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 000000014007E7AC

Strings

Unknown, xrefs: 000000014007E866

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: cb6c1058ad2a36a769174fb096febf5b7ec6d3bbd2b7e1a3a8ca259afe23406b
Instruction ID: d384ca6087cfe21c8346814f25f03d85b6a317e5be2dc90e170939f5b715d1af
Opcode Fuzzy Hash: cb6c1058ad2a36a769174fb096febf5b7ec6d3bbd2b7e1a3a8ca259afe23406b
Instruction Fuzzy Hash: BD31AF33628BC086E7118B22E5403DAA760F79DB84F546215FBC917A6ADB7CC695CB00

Function 00000001400769E0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 0000000140076A39
CoTaskMemFree.OLE32 ref: 0000000140076AFA

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID:
API String ID: 969438705-0
Opcode ID: 6d79bdde875dd07f2ffd806efdef9561ccdddca68267246a4708dfdcec93f9e3
Instruction ID: c24a2b477f3dd54952fba79d28766ac4886fad9f90b6e9905c03ad4d2c94c72d
Opcode Fuzzy Hash: 6d79bdde875dd07f2ffd806efdef9561ccdddca68267246a4708dfdcec93f9e3
Instruction Fuzzy Hash: 15317372A14B8481E621DF2AE44039EB761F79D7F4F105316FBAD13AA9DB7CC1818B40

Function 000000014008C094 Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C0BB

Part of subcall function 000000014008C050: _invalid_parameter_noinfo.LIBCMT ref: 000000014008C067

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C168

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2a2f035bad3878c266e9f348a7d24f62ad09782a769adccf4134d448c9e1ca80
Instruction ID: f34595190bd11b1bb0484c3f2cb1f0762e4c01be78061c132d5b2c2473619775
Opcode Fuzzy Hash: 2a2f035bad3878c266e9f348a7d24f62ad09782a769adccf4134d448c9e1ca80
Instruction Fuzzy Hash: 3521913362164491EE56EB26E491BED3360F79EBD4F940221F71A473F2EA39C619C700

Function 000000014007422C Relevance: 3.1, APIs: 2, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003C780: CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003C7CA
Part of subcall function 000000014003C780: Process32FirstW.KERNEL32 ref: 000000014003C80C

Part of subcall function 000000014003AB80: CredEnumerateA.ADVAPI32 ref: 000000014003ABE2

Part of subcall function 000000014007C570: recv.WS2_32 ref: 000000014007C74C

ReleaseMutex.KERNEL32 ref: 0000000140074292
CloseHandle.KERNEL32 ref: 000000014007429B

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: 01d168897def731aa6e3a000f5dd337d6a2df32601c2afb7a96eab15f04a0c2e
Instruction ID: d05bbe10d27b05fc77d4a56d16fa938ee2bab4b8980277f65d8ec217585f9c4e
Opcode Fuzzy Hash: 01d168897def731aa6e3a000f5dd337d6a2df32601c2afb7a96eab15f04a0c2e
Instruction Fuzzy Hash: AF219D7161428081FA6377B7A4063DE6341AF8E7D1F405211FB99435F79F3C80818622

Function 000000014009B1F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000000014009B240
GetLastError.KERNEL32 ref: 000000014009B24A

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cfbe0d5e6ab2a672f5326b19d912b385c2835b425c006a976bdb9443a511856b
Instruction ID: eb1a70d1cd2abdfdf18c43143c0d078d39b75a1bbcf7aae935b1773092e18f07
Opcode Fuzzy Hash: cfbe0d5e6ab2a672f5326b19d912b385c2835b425c006a976bdb9443a511856b
Instruction Fuzzy Hash: F7119A72304B8081DA618B26B9443ADA361E789FF4F984325FFBA4B7F9CE78C4518740

Function 0000000140074280 Relevance: 3.0, APIs: 2, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 0000000140074292
CloseHandle.KERNEL32 ref: 000000014007429B

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 0a8c6313884733dc564379ca84631e621affa6c724ffc66aa4246c7b20b94efc
Instruction ID: fcf9d4bad52eab2ac32dfb73c78c87cce2bd7604f036ba043638c5741b38055f
Opcode Fuzzy Hash: 0a8c6313884733dc564379ca84631e621affa6c724ffc66aa4246c7b20b94efc
Instruction Fuzzy Hash: 3C012172B1468182FB56AB6AB4053DD6350AB9DBE0F445211BB9D476F6DF7CC0828601

Function 00000001400A9B78 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400A9BA8

Part of subcall function 00000001400AAAAC: std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400AAAB5

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400A9BAE

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
Instruction ID: 6a882cecba2f0b7d9baf0c1997fcca67b59b46383f8a5ba7f78fe763666bc857
Opcode Fuzzy Hash: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
Instruction Fuzzy Hash: EEE0E23072210942FB6B26E32A163E511844BAD3F0E2C1B207B790B6E2AB3488D18920

Function 0000000140098BD0 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140098BE6
GetLastError.KERNEL32 ref: 0000000140098BF0

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1accfea67cdd21986d9efcea98fc74e52ea19ea372fa65de8421b8aa35d71a2a
Instruction ID: 790c9cd93a0b713413afca841f51c08b2edae0917a8305d2c09eb598c9dbecb7
Opcode Fuzzy Hash: 1accfea67cdd21986d9efcea98fc74e52ea19ea372fa65de8421b8aa35d71a2a
Instruction Fuzzy Hash: DCE05BB5B5260182FF2B6BF368557ED02955F9D7C1F440420BF1953371ED388C864714

Function 000000014008AEF0 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014008B140

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: d42e9d67ba9dda84cdc07bb7a948a1b0668744bb267f6826ad1e579085825889
Instruction ID: d6d58eced71b88c6c8daf10a01f1c34b978f624362899ecfb8a5205fbc48a356
Opcode Fuzzy Hash: d42e9d67ba9dda84cdc07bb7a948a1b0668744bb267f6826ad1e579085825889
Instruction Fuzzy Hash: D4618B73301A8485EA269F17D1543AE67A1F709FD8F548621EF6D0B7E6DE39CA86C300

Function 000000014002DEB0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 000000014002DFE3

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: f13adafbf05f298fb05c240c22b120799180002ce19dcd5bad98c2d158ff10dc
Instruction ID: 9e6d60340c6006ea336a3fa614cd808e5e5ad22797c23cbf1a593420299ee011
Opcode Fuzzy Hash: f13adafbf05f298fb05c240c22b120799180002ce19dcd5bad98c2d158ff10dc
Instruction Fuzzy Hash: 8A619072B50B8485EB12DFAAD4903DD23A1E74C7E8F40562AFF1957AE9DA74C8928340

Function 0000000140045780 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140045915

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: abca537383b5ec5d416665d4516e486c91a71911ac11bea2ee59148cfcac8691
Instruction ID: aab651806a49d158eeef3b7a05e9f87a84898afd1d08cfe48f9b7d1d35d784f2
Opcode Fuzzy Hash: abca537383b5ec5d416665d4516e486c91a71911ac11bea2ee59148cfcac8691
Instruction Fuzzy Hash: 1C41BB72315B8481EE12AF13A1443DD6362F74DBD5F59462AEFAE0B7A6EF38C4818304

Function 0000000140068DB0 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140068F57

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6d7032a10d32d82ee0d59bc810b207fc49dfb3c140a00b8c9aea0689fee25a69
Instruction ID: 512535f010b9d5ae8951b9984e285ac8eb6a52971a4c7126c558556d77615bc9
Opcode Fuzzy Hash: 6d7032a10d32d82ee0d59bc810b207fc49dfb3c140a00b8c9aea0689fee25a69
Instruction Fuzzy Hash: 7E416176315B8481DA25DB66E5543AEB3A2F74DBD0F644A26BFAD07BA5DF39C040C300

Function 000000014007DD90 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 000000014007DE20

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 59b1b2dc021690f29ff1adf7fe0950669b25c86177543ebafd4068a053effeab
Instruction ID: 8c3407fd8a6d029249ea15150631626afb0bd6f16a7ca74dd13ecfd95f12c210
Opcode Fuzzy Hash: 59b1b2dc021690f29ff1adf7fe0950669b25c86177543ebafd4068a053effeab
Instruction Fuzzy Hash: 16519E32A14B808AE712CF69E8403DD7770F798788F504216EB8C57AA9DF78C685CB40

Function 00000001400990CC Relevance: 1.6, APIs: 1, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400990F4

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ffb60abcc7d805805bbbb6e3c8eb0595d1e36488306bed0171541e42b1ddf4f3
Instruction ID: 9fbaa5e4fb57bcc170b1f55c51ddee327d9a17fad684bf4da9b59787efee6265
Opcode Fuzzy Hash: ffb60abcc7d805805bbbb6e3c8eb0595d1e36488306bed0171541e42b1ddf4f3
Instruction Fuzzy Hash: CB41CB3220160487EA7A9B6FE5803E977A0F79ABD0F140201FB9A877F1DB38C442C741

Function 000000014003FC70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014003FD78

Part of subcall function 000000014002B510: __std_exception_copy.LIBVCRUNTIME ref: 000000014002B558

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 317858897-0
Opcode ID: f963baeed23c76e2403023d3bb9c1a63123fa01d9368323ef353fb6ec911463a
Instruction ID: 690cedcfc4ee262b6ef760f99a8dc8a89f6e70b6b68083a452b48f8b6fcf2cfc
Opcode Fuzzy Hash: f963baeed23c76e2403023d3bb9c1a63123fa01d9368323ef353fb6ec911463a
Instruction Fuzzy Hash: 9421C332711B4441EA1BAB56A2443F96391AB48BE4F244721AB7C0BBE2EE78C5D29340

Function 00000001400414AA Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400415A1

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6643d297a41aaac816b7a16b8b42f4a3746ebca0d5da8370e3e32a66f5a322ba
Instruction ID: d2f646ea3797fb6b7b3fcd726ef3aa4ca6dee8541d64d257c5e58883647cd415
Opcode Fuzzy Hash: 6643d297a41aaac816b7a16b8b42f4a3746ebca0d5da8370e3e32a66f5a322ba
Instruction Fuzzy Hash: EF21F472312A6484FE17AB52E1543EC2651A7CCBD4F550622BB2F0BBE6EE38C4908348

Function 000000014009AB64 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009AC5B

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 294c853aa37f5a5617f97abcb6e76066dc0e8fa578696287dd77497f0a990e96
Instruction ID: 2011f515ef95bed98ffbd87fff3cc5c1b1dd8e5a7b900fba54d7e04fdfb142bd
Opcode Fuzzy Hash: 294c853aa37f5a5617f97abcb6e76066dc0e8fa578696287dd77497f0a990e96
Instruction Fuzzy Hash: 8031BF72200A048AE703AB1798813EC3A91A79DBE4F910209FB25073F2CBBCC8818752

Function 00000001400B96E8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B9645

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7c895007b33088ccfaf1e6f628ab4e06c51e84b9704ffe395df2c2cc19cee228
Instruction ID: 7c4d815f048383e7f19acdc8bcd540e6f9058b3da980295672d02bf6c5b866d8
Opcode Fuzzy Hash: 7c895007b33088ccfaf1e6f628ab4e06c51e84b9704ffe395df2c2cc19cee228
Instruction Fuzzy Hash: 29119332215A8081EA629F9394107EEA3B4F78DBC4F544021FF8857BB7DB7CC9418B41

Function 00000001400BBA4C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BBA6F

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c6418ee08a2d99bb0f834513c3113b55ba0090fec11726b4d83439bcee0c9c8b
Instruction ID: 1f5195086c7d46c311c29bac2112077e7c7e8efb0fbaa95545f75f1ab8f1d77f
Opcode Fuzzy Hash: c6418ee08a2d99bb0f834513c3113b55ba0090fec11726b4d83439bcee0c9c8b
Instruction Fuzzy Hash: A421C332614A8087EB629F5AD4807E977B0F788BD4F544224FB5A876F9DB78C901CB00

Function 0000000140078940 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000140078988

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 7b04e324c28c7b3b536a77f29125a2cbdc818c3a16a0c9b647f77b530166216f
Instruction ID: 2219061207c83d129cb1c736d1c6ec4aa92e3636ad338a2aece9c5acb717b77f
Opcode Fuzzy Hash: 7b04e324c28c7b3b536a77f29125a2cbdc818c3a16a0c9b647f77b530166216f
Instruction Fuzzy Hash: 60016D31714A8481EB618F1BB94076AA7A0F78CFD4F5C5135EF9D43B68EA38C8518B40

Function 0000000140035813 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140035856

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e0a95e762ac370655b826f283ad5be534de47ca55310324722f815d57650390d
Instruction ID: f830afe8215133ded52682cabdddb9823e6c0aa40326b072aa507c9e632b5dfb
Opcode Fuzzy Hash: e0a95e762ac370655b826f283ad5be534de47ca55310324722f815d57650390d
Instruction Fuzzy Hash: FC01FF36218A8081EA72DB56F45439B7364F78CBD5F504122DF8D53B69DE39C886CB00

Function 000000014008C794 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C7B3

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
Instruction ID: 3b2c6bae783cdb39cb4440d0a9dae228b65e0b1c14ba49f2db65e1423007f410
Opcode Fuzzy Hash: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
Instruction Fuzzy Hash: 26E0D832329A4541FB666B7BE1817ED72A07F4C7F4F544321B734037EADB3489644A11

Function 00000001400B6690 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00000001400B6694

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 399010cf59670fbe1ab766e5364ca5726a54ee50150088915aa0494e8ff061f8
Instruction ID: 79b0d941b71851d67e3ed5e9fb9396718875f970e065e4daac4691504fa385df
Opcode Fuzzy Hash: 399010cf59670fbe1ab766e5364ca5726a54ee50150088915aa0494e8ff061f8
Instruction Fuzzy Hash: 15C04C39F15902C1E6571BB36C4238A11A0AB5D790F844020960882160DA7C81D78A21

Function 00000001400B8284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00000001400B828D

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d2557f7b5759ed9bc386ef8196c01d1f416ca1932cbdf92fbfd30ab0328ea477
Instruction ID: c1f8abdfa3c11aa9de56e1ee108be8b74f057e80f86e55c58f9080c7b4b0d2de
Opcode Fuzzy Hash: d2557f7b5759ed9bc386ef8196c01d1f416ca1932cbdf92fbfd30ab0328ea477
Instruction Fuzzy Hash: 4EB09276A148C0C3C652EB08F84274A7331FB98B08FD00014E38D43624CE2DCA2A8E10

Function 0000000140099238 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009928D

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: daa2573087b623b9abe981fec17a8f56eee38245be2309f6bf9e0089a2be3b00
Instruction ID: bf0e06441a54d6a1cc18ada1439082aae455cc3fa69792b77033dabdc6dabecd
Opcode Fuzzy Hash: daa2573087b623b9abe981fec17a8f56eee38245be2309f6bf9e0089a2be3b00
Instruction Fuzzy Hash: A5F01778302304A1FF5757AB99653E923886B9DBC0F484425AB0A877F1DE3CC9828221

Function 000000014009B570 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009B5AE

Memory Dump Source

Source File: 00000001.00000002.2163315602.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_setup_run.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 749b1888752cbaf3ccc5c12c07e09f2981eaae3f5329f421042af50cb2ee18bc
Instruction ID: e4cfd1d18ed068b3df031a5d4ed3d8bcfc5426a02b12f11125bcbc387410a6eb
Opcode Fuzzy Hash: 749b1888752cbaf3ccc5c12c07e09f2981eaae3f5329f421042af50cb2ee18bc
Instruction Fuzzy Hash: 78F03074301A4045FE5767B35A913F921809B8C7F0F4A4734BF2A873F1DA7CC4828621

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup_run.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\setup_run.exe:a.dll

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
setup_run.exe

Function 00007FF8E7B01690 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 193
libraryloaderinjectionCOMMON

Function 00007FF650A124B0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 301
libraryloaderCOMMON

Function 00007FF650A11E00 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 380
COMMON

Function 00007FF650A11180 Relevance: 12.2, APIs: 8, Instructions: 191
sleepstringCOMMON

Function 00007FF650A54B60 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 120
stringCOMMON

Function 00007FF8E7B222C0 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 120
stringCOMMON

Function 00007FF8E7B011D0 Relevance: 7.7, APIs: 5, Instructions: 164
sleepCOMMON

Function 00007FF650A53F30 Relevance: 2.6, APIs: 2, Instructions: 78
COMMON

Function 00007FF8E7B21C20 Relevance: 2.6, APIs: 2, Instructions: 78
COMMON

Function 00007FF650A29BF0 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 00007FF8E7B183A0 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 00007FF8E7B1F7B0 Relevance: 1.3, APIs: 1, Instructions: 34
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre